MC392299 – Reminder: Windows Distributed Component Object Model (DCOM) hardening changes as of June 14, 2022

cloudscout.one Icon

check before: 2022-06-29

Product:

Windows

Platform:

World tenant

Status:

Change type:

Admin impact

Links:

Details:

Updated June 15: A correction has been made to the timeline dates.


As previously announced, security requirements have increased for Windows devices that use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies. Windows update releases starting June 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM. Starting today, June 14, 2022, all DCOM clients attempting to establish connections to DCOM servers which have applied updates released June 14, 2022, or later, must either support an authentication level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY and higher or temporarily disable that enforcement by using the RequireIntegrityActivationAuthenticationLevel registry key in the DCOM server.

Note: We recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats.


When will this happen:


Refer to the below timeline to understand the progressive hardening coming to DCOM.
June 8, 2021 security update: Hardening changes are disabled by default but with the ability to enable them using a registry key.
June 14, 2022 security update: Hardening changes are enabled by default but with the ability to disable them using a registry key.
March 14, 2023 security update: Hardening changes are enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2022-06-15

updated:
2022-08-27

the free basic plan is required to see all details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.


changes*

DatePropertyoldnew
2022-09-15MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
ps://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-consta
ps://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b
ps://docs.microsoft.com/windows/win32/rpc/authentication-level-consta
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
ps://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769
ps://support.microsoft.com/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769
During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://docs.microsoft.com/windows/win32/rpc/authentication-level-constants
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
https://support.microsoft.com/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
2022-08-27MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://docs.microsoft.com/windows/win32/rpc/authentication-level-constants
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
https://support.microsoft.com/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
ps://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-consta
ps://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b
ps://docs.microsoft.com/windows/win32/rpc/authentication-level-consta
ps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
ps://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769
ps://support.microsoft.com/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769
2022-06-16MC MessagesAs previously announced, security requirements have increased for Windows devices that use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies. Windows update releases starting June 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM. Starting today, June 14, 2022, all DCOM clients attempting to establish connections to DCOM servers which have applied updates released June 14, 2022, or later, must either support an authentication level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY and higher or temporarily disable that enforcement by using the RequireIntegrityActivationAuthenticationLevel registry key in the DCOM server.

Note: We recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats.


When will this happen:


Refer to the below timeline to understand the progressive hardening coming to DCOM.
June 8, 2021 security update: Hardening changes are disabled by default but with the ability to enable them using a registry key.
June 14, 2022 security update: Hardening changes are enabled by default but with the ability to disable them using a registry key.
March 14, 2022 security update: Hardening changes are enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.
Updated June 15: A correction has been made to the timeline dates.


As previously announced, security requirements have increased for Windows devices that use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies. Windows update releases starting June 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM. Starting today, June 14, 2022, all DCOM clients attempting to establish connections to DCOM servers which have applied updates released June 14, 2022, or later, must either support an authentication level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY and higher or temporarily disable that enforcement by using the RequireIntegrityActivationAuthenticationLevel registry key in the DCOM server.

Note: We recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats.


When will this happen:


Refer to the below timeline to understand the progressive hardening coming to DCOM.
June 8, 2021 security update: Hardening changes are disabled by default but with the ability to enable them using a registry key.
June 14, 2022 security update: Hardening changes are enabled by default but with the ability to disable them using a registry key.
March 14, 2023 security update: Hardening changes are enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.
2022-06-16MC Start Time06/15/2022 01:36:252022-06-16T03:16:26Z
2022-06-16MC Last Updated06/15/2022 01:36:262022-06-16T03:16:27Z
2022-06-16MC End Time06/15/2023 01:36:252023-06-16T03:16:25Z
2022-06-16MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://docs.microsoft.com/windows/win32/rpc/authentication-level-constants
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect.


Note: Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log:


Event 10036 is logged on the DCOM server and contains the IP address of the DCOM client.
Events 10037 and 10038 are logged on the DCOM client, not the DCOM Server machine.


The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. The client device can be traced from the server-side event log and the client-side event logs can be used to find the application.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround, and see the DCOM errors supported by all Windows platforms.


Additional Information:


It is important to ensure proper testing for this change. Please review the below documentation.
\[MS-DCOM\]: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants
https://docs.microsoft.com/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0
https://docs.microsoft.com/windows/win32/rpc/authentication-level-constants
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
https://support.microsoft.com/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

*starting April 2022

Last updated 2 months ago

Login to your account

Welcome Back, We Missed You!