Windows DCOM hardening

IntroductionThe Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects by way of remote procedure calls (RPCs). The protocol consists of a set of extensions layered on Microsoft Remote Procedure Call Protocol Extensions as specified in . The DCOM Remote Protocol is also referred to as Object RPC or ORPC. As per Microsoft MC376180 announcement which appeared in the Microsoft 365 Admin Center, Windows devices which use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies will go under Windows DCOM hardening phases. Windows updates released starting September 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM throughout 2022. Timeline of DCOM hardening updatesDCOM components are gradually being hardened by issued Windows Updates. Windows DCOM hardening is being carried out as per the below past and scheduled important deadlines.- June 8, 2021: Hardening changes disabled by default but with the ability to enable them using a registry key.- June 14, 2022: Hardening changes enabled by default but with the ability to disable them using a registry key.- March 14, 2023: Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.Recommended actions for Microsoft customersIT administrators managing Windows Server and Windows client OS infrastructures are strongly recommended to conduct testing by manually enabling the DCOM hardening changes as soon as possible to confirm normal operations. As per aforementioned Microsoft timeline and before March 14th 2023 the following registry key can be used to control the DCOM hardening state.- Path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftOleAppCompat- Value Name: "RequireIntegrityActivationAuthenticationLevel"- Type: dword- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.- Devices must be restarted after setting the above registry key. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.To identify applications which might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the Windows System event log with Message IDs 10036, 10037 and 10038. If issues are encountered during DCOM security testing, administrators should contact the software vendor for the affected software to ask for an update or workaround.An example existing DCOM event in the System event log in Windows 10 is shown below. Referenceshttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0https://docs.microsoft.com/en-us/openspecs/main/ms-openspeclp/3589baea-5b22-48f2-9d43-f5bea4960ddbhttps://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26414
https://stefanos.cloud/blog/windows-dcom-hardening/

Comments

Post a Comment

Popular posts from this blog

Acronis Cyber Protect 15 virtual machine backup not working when using shared mode virtual disks vhds

Image
Case When you apply and run an Acronis Cyber Protect backup against a virtual machine which is part of a guest cluster which makes use of virtual disk shared files of type .vhds (VHD Set), you run across the following error. Activity succeeded with warnings. Activity 'Preparing for backup of virtual machine' succeeded with the following warning 'Windows error: (0xC05CFF0A). The requested operation cannot be performed on the virtual disk as it is currently used in shared mode. Or the error may state something along the lines of: "Failed to open virtual disk file '.vhds'. Unknown format of the virtual disk." The same error as above can occur in virtual machine backup of virtual machines which include a .vdhx shared disk. Solution The above error is by design when you are attempting a virtual machine backup to virtual machine which does not have an Acronis backup agent installed, as per https://kb.acronis.com/content/68573 . According to Acronis, as of July 2
Read more

How to perform hardware health checks in Windows

Image
Case You need to perform an overall hardware health check in a Windows machine, running either a Windows client or a Windows Server operating system. This article provides guidance on the steps to carry out to perform hardware health checks in Windows. Solution Carry out the steps below. - Thoroughly check all Windows event logs (Application, System, Security) for any warnings or errors which may be related to issues you are experiencing with your Windows machine. - Check the device management mmc console by running devmgmt.msc. Ensure that you choose to show all hidden devices from the View menu. If you notice any exclamation marks next to any device, you will need to re-install its driver from the respective manufacturer to ensure that there afterwards no warnings in the device management console. - Check the health of all your disks , either HDD or SSD. Follow instructions in the following KB article for steps to follow to check your disk health: https://stefanos.cloud/kb/how-to-ch
Read more

How to resolve Group Policy error codes 8007071a and 800706ba

Image
Case You are running "Group Policy Update" on an OU inside the Group Policy Management Console in Active Directory but you are receiving RPC errors from your servers or domain-joined workstations, as shown in the example below. After a Group Policy Update, you come across Group Policy error codes 8007071a and 800706ba. This means that the local Windows Firewall is not configured properly to allow Group Policy (GPO) traffic. GPO traffic an be either remote GPO update or remote GP Resultant Set of Policy (RSOP) operations. Solution Option 1 Run gpedit.msc and create a new local group policy object which implements the following policies under Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Windows Defender Firewall --> Inbound Rules : The full configuration is shown below. After the above local group policies are configured on each domain server and workstation, you can start applying group policy objects to the dom
Read more