Blog Post

Windows IT Pro Blog
9 MIN READ

DCOM authentication hardening: what you need to know

David_Zhu's avatar
David_Zhu
Icon for Microsoft rankMicrosoft
Oct 19, 2022
Hardening represents a means of investigating and reducing the number of systems across your organization with potential weaknesses, and then taking steps to securing them from malicious actors and t...
Updated Oct 19, 2022
Version 2.0
security
servicing and updates
windows 10
windows 11
WarrenStanley's avatar
WarrenStanley
Copper Contributor
Feb 09, 2023

 

From: https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c 
DCOM client-side patch on November 8, 2022

This update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum. With this change, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client. This update will be activated by default but can be deactivated by setting its registry key to 1. This patch is disabled by default for Windows 10, versions 1809 and 1607 and Windows Server 2016. To enable it, set the registry key value for RaiseActivationAuthenticationLevel to 2.

also

David_Zhu wrote:

November 8, 2022

November 8, 2022 update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if it's below Packet Integrity. With this change, most Windows DCOM client applications will automatically work with DCOM hardening change on server side without any modification to the DCOM client applications.

March 14, 2023

The following March 14, 2023 update will just make today's solution impossible to disable. This will further prevent any malicious actors from accessing your server and networked devices. The default enablement of DCOM authentication hardening culminates the story, and your environment remains safe.

 

 

From the above, I would assume that the automatic raising of the security level of DCOM activation requests (auto promotion) will be enabled after the application of the March 14 Windows patches on all updated Windows platforms, including Windows 2016.  Between the two articles it is a little unclear and I don't like assumptions.  The final statement above is definitive about the hardening changes, but does not really say anything about auto promotion and how the Windows versions where it is disabled by default are left.

 

As of today, Windows 2016 should require RaiseActivationAuthenticationLevel to be set to 2 for auto promotion to be enabled.

David_Zue , come March, what will reality look like when the last patch in this series is applied?

  • Will the registry key still be required for auto promotion to be enabled on Windows 2016?
  • Will auto promotion be on by default for patched Windows versions including Windows 2016 and the registry key will be ignored?
  • Will Windows 2016 not auto promote at all?

 

Thank you,

Warren.