Blog Post

Windows IT Pro Blog
9 MIN READ

DCOM authentication hardening: what you need to know

David_Zhu's avatar
David_Zhu
Icon for Microsoft rankMicrosoft
Oct 19, 2022
Hardening represents a means of investigating and reducing the number of systems across your organization with potential weaknesses, and then taking steps to securing them from malicious actors and t...
Updated Oct 19, 2022
Version 2.0
security
servicing and updates
windows 10
windows 11
jingalsbe's avatar
jingalsbe
Copper Contributor
May 12, 2023

My organization is struggling with a mixed environment situation following the March 2023 update. We have a Windows Server 2008 R2 Enterprise "client" server (i.e. Client Server A) attempting to communicate with a Windows Server 2012 R2 Standard server endpoint (i.e. Target Server B). The client code is a C# .NET Framework 4.8 application running as an IIS application/virtual directory on Client Server A, and is attempting to do remote IIS administration on Target Server B. This is being done via the https://learn.microsoft.com/en-us/dotnet/api/microsoft.web.administration.servermanager?view=iis-dotnet class and the OpenRemote() method.

 

After Target Server B (2012 R2) received the updated patch, it now records this message in the Windows System Event Logs:
10036 - The server-side authentication level policy does not allow the user <domain>\<user> SID (<SID>) from address <IPAddress> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

 

While Client Server A (2008 R2) records this message in the Windows System Event Logs:

10009 - DCOM was unable to communicate with the computer <serverName> using any of the configured protocols.

 

We have set the system-wide Component Services Default Properties > Default Authentication Level on both Client Server A and Target Server B to be "Packet Integrity", while leaving Default Impersonation Level set to "Identity". Both servers have been rebooted, but we still receive the errors. I will further note that Target Server B still has the override setting for RequireIntegrityActivationAuthenticationLevel set to 0 from our previous 2021 workaround, if its presence has any impact. (Client Server A does not have this setting.)

 

In this configuration, would the communication from client to target be expected to work? Or is there some other application-level setting we can set for IIS to explicitly raise its authentication level? Ultimately, I'm trying to determine if a Windows Server 2008 R2 server should be expected to work at all, or if our only option is to perform an upgrade of the OS. While we can do that, I'm looking for confirmation that that is the proper/required course of action as this particular data center is scheduled to be decommissioned, but possibly not until late 2023 or early 2024. I just want to make sure there aren't other alternatives so that I can justify the approach and effort. Thank you!