security and privacy

Windows DCOM hardening

Introduction

The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects by way of remote procedure calls (RPCs). The protocol consists of a set of extensions layered on Microsoft Remote Procedure Call Protocol Extensions as specified in [MS-RPCE]. The DCOM Remote Protocol is also referred to as Object RPC or ORPC.

As per Microsoft MC376180 announcement which appeared in the Microsoft 365 Admin Center, Windows devices which use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies will go under Windows DCOM hardening phases. Windows updates released starting September 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM throughout 2022.

Timeline of DCOM hardening updates

DCOM components are gradually being hardened by issued Windows Updates. Windows DCOM hardening is being carried out as per the below past and scheduled important deadlines.

  • June 8, 2021: Hardening changes disabled by default but with the ability to enable them using a registry key.
  • June 14, 2022: Hardening changes enabled by default but with the ability to disable them using a registry key.
  • March 14, 2023: Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

IT administrators managing Windows Server and Windows client OS infrastructures are strongly recommended to conduct testing by manually enabling the DCOM hardening changes as soon as possible to confirm normal operations. As per aforementioned Microsoft timeline and before March 14th 2023 the following registry key can be used to control the DCOM hardening state.

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
  • Value Name: “RequireIntegrityActivationAuthenticationLevel”
  • Type: dword
  • Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.
  • Devices must be restarted after setting the above registry key. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

To identify applications which might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the Windows System event log with Message IDs 10036, 10037 and 10038. If issues are encountered during DCOM security testing, administrators should contact the software vendor for the affected software to ask for an update or workaround.

An example existing DCOM event in the System event log in Windows 10 is shown below.

References

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0

https://docs.microsoft.com/en-us/openspecs/main/ms-openspeclp/3589baea-5b22-48f2-9d43-f5bea4960ddb

https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26414

About The Author