No ratings

Microsoft changes to Windows DCOM

Issue

Microsoft made changes to the Windows DCOM Server Security Feature effective 14 June 2022. If you have installed KB5004442, you will have these changes applied to your environment. Nintex completed testing with this feature and we could not find any issues to the K2 products relating to these changes. However, if you do see any of the following errors in the Event Viewer logs, and experience issues with the K2 product please reach out to support:

 

Server events

Event ID

Message

10036

"The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address)

Client events

Event ID

Message

10037

"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."

10038

"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."

(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level)

 

Workaround

If you encounter any of the above messages, follow these steps:

Registry setting to enable or disable the hardening changes

During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

  • Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
  • Value Name: "RequireIntegrityActivationAuthenticationLevel"
  • Type: dword
  • Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled.

Important notes:

  • Value Data must be entered in hexadecimal format.
  • Restart your device after setting this registry key for it to take effect.
  • Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

 

Related Links

For more information, please see KB5004442.

 

Labels: (1)
Version history
Last update:
a week ago
Updated by:
Contributors