Blog Post

Windows IT Pro Blog
9 MIN READ

DCOM authentication hardening: what you need to know

David_Zhu's avatar
David_Zhu
Icon for Microsoft rankMicrosoft
Oct 19, 2022
Hardening represents a means of investigating and reducing the number of systems across your organization with potential weaknesses, and then taking steps to securing them from malicious actors and t...
Updated Oct 19, 2022
Version 2.0
security
servicing and updates
windows 10
windows 11
WarrenStanley's avatar
WarrenStanley
Copper Contributor
Feb 23, 2023

McIntoshA

From my experience, a process that you use as a client can still act as a DCOM server (it listens for incoming connections back from server).  In these cases, it will report 10036 errors if the connections are made with too low a connection security level for the new hardening requirements.  The fact you are getting 10036 errors in the event log of you client machines would indicate this is the case.

 

A system patched upto the patch level from June 14, 2022 will apply hardening by default, but not auto promotion of connection requests, resulting in older applications that have not been updated in light of the DCOM hardening changes no longer working.  The patches from November 8, 2022 make the OS auto promote the connection request from the client side of the DCOM connection, meaning that no code changes are required to meet the requirements of the DCOM hardening changes.  That is why fully upgrading to supported versions stops the errors, the OS is fixing the connection security level that the software now needs to make if you have any supported and well patched OS versions in your environment used for DCOM.

 

Your choices as I understand them are to:

  1. upgrade to supported OS versions (best long term from a security perspective)
  2. upgrade only the software or software configuration so that the connection requests are made in a manner that complies with DCOM hardening requirements.  This may not be possible, depending on the software and the connections affected.
  3. if you have a mixed environment that includes OS versions that are no longer supported and patched; and can't fix the software or it's configuration, but these systems are involved in DCOM which I think you have, patch upto the February 2023 level, and then disable the DCOM hardening changes using the documented registry key.  Do not apply any further patches or you will break your system.  After this point in time a fully patched system will no longer pay any attention to the registry key that is used to disable the hardening.
  4. If you have a completely legacy system with no supported OS versions, you would not be seeing any issues as the DCOM hardening changes are in the OS, but I have seen domain controllers be part of the issue where they are the only supported component, and the errors are reported there.