Summary
The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects using remote procedure calls (RPCs). DCOM is used for communication between the software components of networked devices.
Hardening changes in DCOM were required for CVE-2021-26414. Therefore, we recommended that you verify if client or server applications in your environment that use DCOM or RPC work as expected with the hardening changes enabled.
To address the vulnerability described in CVE-2021-26414, you must install updates released September 14, 2021 or later and enable the registry key described below in your environment. We recommended that you complete testing in your environment and enable these hardening changes as soon as possible. If you find issues during testing, you must contact the vendor for the affected client or server software for an update or workaround before early 2022.
Note We recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats.
Timeline
Update release | Behavior change |
June 8, 2021 | Hardening changes disabled by default but with the ability to enable them using a registry key. |
June 14, 2022 | Hardening changes enabled by default but with the ability to disable them using a registry key. |
March 14, 2023 | Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment. |
Registry setting to enable or disable the hardening changes
During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:
- Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
- Value Name: “RequireIntegrityActivationAuthenticationLevel”
- Type: dword
- Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.
Note You must enter Value Data in hexadecimal format.
Important You must restart your device after setting this registry key for it to take effect.
Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.
Note This registry value does not exist by default; you must create it. Windows will read it if it exists and will not overwrite it.
New DCOM error events
To help you identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log; see the tables below. The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. You can trace to the client device from the server-side event log and use client-side event logs to find the application.
Server events
Event ID | Message |
---|---|
10036 | “The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.”(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address) |
Client events
Event ID | Message |
---|---|
10037 | “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.” |
10038 | “Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor.”(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level) |
Availability
These error events are only available for a subset of Windows versions; see the table below.
Windows version | Available on or after these dates |
---|---|
Windows Server 2022 | September 27, 2021KB5005619 |
Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1 | September 1, 2021KB5005101 |
Windows 10, version 1909 | August 26, 2021KB5005103 |
Windows Server 2019, Windows 10, version 1809 | August 26, 2021KB5005102 |
Windows Server 2016, Windows 10, version 1607 | September 14, 2021KB5005573 |
Windows Server 2012 R2 and Windows 8.1 | October 12, 2021KB5006714 |