Microsoft detailed a security feature bypass (CVE-2021-26414) vulnerability in the Distributed Component Object Model (DCOM) in June 2021. Microsoft today issued a reminder that DCOM enhancements will be enabled by default on Windows 10, Windows 11, and Windows Server next month.
According to Microsoft’s official customized schedule, DCOM enhanced changes will be enabled by default on March 14, 2023 and cannot be disabled by users.
iGeekphone with Microsoft official introduction:
The Distributed Component Object Model (DCOM) remote protocol is a protocol for exposing application objects using remote procedure calls (RPCS). DCOM is used for communication between software components of network devices. CVE-2021-26414 requires hardening changes in DCOM. Therefore, it is recommended to verify that client or server applications in your environment that use DCOM or RPC work as expected, while enabling hardening changes.
The first phase of the DCOM update was released on 8 June 2021. In this update, DCOM hardening is disabled by default. You can enable them by modifying the registry, as described below in the “Registry Settings to enable or disable enhanced changes” section. The second phase of the DCOM update was released on 14 June 2022. This has changed hardening to enabled by default, but retains the ability to disable changes using registry key Settings. The final phase of the DCOM update will be released in March 2023. It will leave DCOM reinforcement enabled and remove the ability to disable it.
We know that DCOM hardening changes can cause application compatibility issues in the environment. The latest security update, released in November 2022, includes the following features to easily manage this migration:
New DCOM Error Events – To help identify applications that may have compatibility issues after enabling DCOM security hardening changes, we have added new DCOM error events to the system logs. See below for details on the release timeline and supported platforms.
Authentication level for all non-anonymous activation requests – To help reduce application compatibility issues, we automatically raise the authentication level for all non-anonymous activation requests from Windows-based DCOM clients to at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. With this change, most Windows-based DCOM client requests are automatically accepted, and the DCOM hardening change is enabled on the server side without any further modifications to the DCOM client.
While we recommend that you install the latest security updates, we also want to provide you with more control if the latest security updates are not installed in your environment.
Enable DCOM hardening. If it is not already installed on June 14, 2022 or higher version of the update, all the DCOM server RequireIntegrityActivationAuthenticationLevel registry keys can be set to 1. This will enable DCOM reinforcement in your environment.
Increase the authentication level. If it is not already installed on November 8, 2022 or higher version of the update, you can for all the DCOM based on Windows client will RaiseActivationAuthenticationLevel registry keys set to 2. This raises the authentication level for all non-anonymous activation requests from Windows-based DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
It is recommended that you complete the testing in the environment and enable these hardening changes as soon as possible. If an issue is found during testing, the affected client or server software vendor must be contacted for an update or workaround prior to releasing the March 2023 update.
Remarks Installing the latest available security updates is strongly recommended. They provide advanced protection against the latest security threats, as well as features we have added to support migration. For more information and context on how to enforce DCOM, see DCOM Authentication Hardening: What to Know.
Updated version
Behavior change
June 8, 2021
By default, hardening changes are disabled, but they can be enabled using registry keys.
June 14, 2022
Hardening changes are enabled by default, but changes can be disabled using registry keys.
November 8, 2022
In response to your feedback, the 8 November 2022 update includes clients (devices, applications or services that act as DCOM clients) patches. This patch automatically raises the authentication level for all non-anonymous activation requests to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. If you use a third-party Windows DCOM client application and rely on the software provider to raise the activation authentication level to support DCOM hardening changes, this patch removes the dependencies. This allows the activation authentication level to be automatically raised at the Windows OS level. This prevents DCOM servers with DCOM hardening changes enabled from rejecting activation requests.
March 14, 2023
Hardening changes are enabled by default, but they cannot be disabled. At this point, hardening changes in the environment and any compatibility issues with the application must be addressed.