DCOM authentication hardening: what you need to know

jingalsbe 

KB5022353(Sec Only) and KB5022340(Monthly Quality Rollup) are Jan 2023 update for Windows Server 2008.

KB 5022352(Sec Only) and KB5022346(Monthly Quality Rollup) are Jan 2023 update for Windows Server 2012 R2.

If you can't get Jan 2023 update for Windows Server 2008, you'll need to upgrade to a platform that can receive Jan 2023 update.

David_Zhu Thanks for the quick response!

It looks like the server has only been receiving patches for:
- Windows Malicious Software Removal Tool x64
- Security Intelligence Update for Microsoft Endpoint Protection

For the Jan 2023 update for 2012 R2, I'm assuming that would specifically be KB5022353? And is Extended Security Update (ESU) support required to receive this patch (and pre-requisites)? The article says ESU was offered for 2020-2022, leaving 2023 a little vague. 🙂

Thanks again!

Jason

ShellBeCom 

The issue you described doesn't look like to be related to DCOM hardening change. DCOM hardening change only affects cross-computer COM communications, not local COM communications. Besides, you should see event 10036 on your DCOM server if DCOM hardening change rejects an activation request from clients.

jingalsbe 

Have you installed Jan 2023 update or later on your Windows Server 2008 R2 server? With Jan 2023 update, activation authentication level should be auto-elevated to packet integrity level too on Windows server 2008 R2 server.

My organization is struggling with a mixed environment situation following the March 2023 update. We have a Windows Server 2008 R2 Enterprise "client" server (i.e. Client Server A) attempting to communicate with a Windows Server 2012 R2 Standard server endpoint (i.e. Target Server B). The client code is a C# .NET Framework 4.8 application running as an IIS application/virtual directory on Client Server A, and is attempting to do remote IIS administration on Target Server B. This is being done via the Microsoft.Web.Administration.ServerManager class and the OpenRemote() method.

After Target Server B (2012 R2) received the updated patch, it now records this message in the Windows System Event Logs:
10036 - The server-side authentication level policy does not allow the user <domain>\<user> SID (<SID>) from address <IPAddress> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

While Client Server A (2008 R2) records this message in the Windows System Event Logs:

10009 - DCOM was unable to communicate with the computer <serverName> using any of the configured protocols.

We have set the system-wide Component Services Default Properties > Default Authentication Level on both Client Server A and Target Server B to be "Packet Integrity", while leaving Default Impersonation Level set to "Identity". Both servers have been rebooted, but we still receive the errors. I will further note that Target Server B still has the override setting for RequireIntegrityActivationAuthenticationLevel set to 0 from our previous 2021 workaround, if its presence has any impact. (Client Server A does not have this setting.)

In this configuration, would the communication from client to target be expected to work? Or is there some other application-level setting we can set for IIS to explicitly raise its authentication level? Ultimately, I'm trying to determine if a Windows Server 2008 R2 server should be expected to work at all, or if our only option is to perform an upgrade of the OS. While we can do that, I'm looking for confirmation that that is the proper/required course of action as this particular data center is scheduled to be decommissioned, but possibly not until late 2023 or early 2024. I just want to make sure there aren't other alternatives so that I can justify the approach and effort. Thank you!

Thanks everyone for their help on this.  We found a great simple solution for this post hardening issue by simply updating our COM+ my computer level properties to the below on our app server and our transport server:

1. Go to Component Services -> Computers -> My Computer and right click on My Computer and select Properties.  
2. On the Default Properties tab, change the Default Authentication Level to “Packet Integrity” or “Packet Privacy” Whatever you choose must be the SAME on the client AND server computer. Generally users are setting this to Packet Integrity and that is our standard recommendation at this time.   We also left the default impersonation level to identify on both servers.  It did not affect other OS operations not affected by this KB so we will switch all servers to this.

If your OPC Client or Server have their own entries under the DCOM Config part of the Component Services tree, you will need to make the same change on the General Tab, Authentication Level.   

These changes at a MINIMUM will require you to restart your client and server applications, though we recommend a machine restart to ensure that the changes take effect. 

Hi David,
we are using the shell command below in a web application.
Dim wshell As WshShell = New WshShell
wshell.Run(shell_command)
After installing your security update on our webserver (MS Windows Server 2022), the event viewer shows the error below and our webapplication is broken.
---------------------------------------------------------------
Error: Event 10016, DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {xxx} and APPID {yyy} to the user IIS APPPOOL\DefaultAppPool SID (zzz) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
---------------------------------------------------------------
I have read all your related articles including the links below trying to solve these errors.
- (1) https://windowsreport.com/how-to-raise-dcom-authentication-level/
- (2) https://windowsreport.com/windows-10-error-distributedcom-10016/
- (3) https://www.wintips.org/fix-application-specific-permission-settings-do-not-grant-local-activation-permission-for-com-server-application/

Trying these workarounds in (3) looks like solving the error for a specific CLS ID and APP ID, but after rebooting the server, the same error is thrown
with different CLS ID and APP ID ... repeating the same actions a few times on different IDs finally results in some kind of loop in which the error
pops up again for the first warned CLS ID and APP ID... So I gave up on it, and uninstalled the security update again.

Please advice how to move on from here.
Thank you!

ZappBrannigan145 WarrenStanley As mentioned in the updated KB Article, there're two minor client-side updates after Nov update on some Windows platforms. To make thing simple, we recommend users to install Jan 2023 update. With Jan 2023 update installed, RaiseActivationAuthenticationLevel is no longer needed for Windows Server 2016 and Windows Server 2019. People can actually unintentionally turn off auto-promotion of authentication level if it is set to a wrong value, that's why the description of the registry key is removed from the KB Article. ZappBrannigan145 KB5023788 is not the March cumulative security update, it's the servicing stack update. KB5023697 is the March cumulative security update. I'm not sure how reverting KB5023788 works for you. Anyway, I recommend you install KB5022838 the Feb cumulative security update on your Windows server 2016 machines, and look for Distributed-COM error event 10036 in Event Viewer. The message in the event should tell you the client that is triggering the error event. Go to the client machine, check if Jan 2023 update is installed on the machine. If it is not, install the Jan 2023 update on the client machine, do your test, and check on the server again if event 10036 triggered by that client is gone. If you have out-of-service client machines in your environment that can't be patched, then those client machines won't be able to connect to server any more once March cumulative security update is installed on the server. You'll either need to upgrade to a Windows version that's still in support, or you'll need to raise the authentication level in your application itself.

@ZappBrannigan145 , KB5023788 is just the 14th of March 2023 update for Windows Server 2016.  If you were already up to date with all other patches, all it should have done in this DCOM context is disable the ability to turn off the hardening and promotion features via registry keys.  The two registry settings that are no longer used are defined or were defined in KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) - Microsoft Support (hardening, controlled using registry key RequireIntegrityActivationAuthenticationLevel) and (promotion, controlled using registry key RaiseActivationAuthenticationLevel).  The documentation for RequireIntegrityActivationAuthenticationLevel still exists, but there is no longer any mention of RaiseActivationAuthenticationLevel.  Google links the term to the page for KB5004442 above, and I am sure it used to list both.  The two registry keys were in the same location, being: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat

When you say you can't apply KB's, I assume that means you can't apply registry changes as the patch has obviously been applied and then removed.  From the behaviour, there must be a registry key involved.  Have you checked the registry for the presence of either key?  If RaiseActivationAuthenticationLevel is defined, it is likely doing more harm than good as it would be disabling the feature promotes activation requests automatically.

The general steps you need to take are scan your systems for the registry keys, check if you have any DCOM communication with a legacy system (one that can't be patched with the hardening and promotion changes).  Also inspect the event log for occurrences of the new events that are generated when requests are sent or received that do not comply with the new requirements.  They may help you to identify unexpected DCOM endpoints that you need to check for complete application of patching and/or state of registry keys.  In general, I would remove any definitions of RaiseActivationAuthenticationLevel.  If patching upto 8 November 2022 has been applied, promotion will be applied by default and to the best of my knowledge is harmless.  Changes to the registry key values require a reboot to be effective.  Also remove RaiseActivationAuthenticationLevel registry key.  If you are not allowed to apply KB, I assume this should not be set anywhere, but it seems to me that one of these two keys is set, or you have a mixed environment.  So when things are not working and patching as at least upto 8 November 2022 level, examine the event logs as described in KB5004442 and see if any of those systems are ones you have checked, then repeat on that system.  It is complex and interrelated, but if you are on patched modern OSs, and promotion is in effect, there should be no problems left, at least problems that I am aware of.

The application we utilize goes through DCOM, but I don't see any way to configure it within DCOM unfortunately.  It is an encryption security layer to put in front of a firewall for an IIS website solution.

We were going to try using IP address instead of servernames for our app server to transport server communications and see if that helps but it doesn't seem like it will have better luck.

Unfortunately we utilize an older 3rd party app so don't have a lot of flexibility within that app to get fixes.   

We have an Infosec team that does not allow KB's to be not applied to servers as it's seen as a security risk.  We reverted the server to remove KB5023788 which works for now but we are looking for a more permanent solution.  Are there specific details on what we would have to switch in the 3rd party application to have OS promoting the connection integrity level to required level?

Thanks,

Zapp

ZappBrannigan145 , if you provide some context, I can try to assist with some specific advice.

However, in general I have found this page we are commenting on now to be useful.  If you are running on a fully updated environment, your application does not need to make any changes and will continue to work because the requests will be promoted to the required level before they are sent, therefor they will not be rejected by the server which expects a higher level of connection integrity than used to be normal.  If you are running in a mixed environment (supported OS versions that have been patched up to current level and unsupported OS versions that no longer receive patches), then your options are to:

* get your software patched or reconfigured so that connections are made using the required connection integrity level,

* freeze your patch levels at the point before 14/Mar/2023 and disable the hardening via the registry, or

* update the environment your application is running on so it is not mixed.

What is possible for reconfiguration will depend on how the software was coded.  It may be configurable from dcomcnfg if you are lucky. The connection integrity level may also be hard coded in the application, in which case you don't have an easy option in a mixed environment, and it is not a guarantee that you can fix all problems.  For that you need to be running on supported environments, or in frozen or unsupported environments.

In my own personal case, our application uses a hard coded connection integrity level that is no longer high enough, but because the majority of deployments are on modern Windows versions, we don't actually have to do anything, the application is still working fine because the OS is promoting the connection integrity level to the now required level.  We do have one instance of a mixed environment, so it has been frozen pre-14/Mar/2023 as it is an offline environment and it is being updated/replaced as we speak, so it will not be an issue in the new system.