DCOM being hardended

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 9463
Joined: 2011-09-08 17:48

DCOM being hardended

Post by jimimaseye » 2022-05-11 13:43

Reminder: Windows Distributed Component Object Model (DCOM) Hardening changes coming June 14

As previously announced, security requirements will be increasing later this year for Windows devices which use the Distributed Component Object Model (DCOM) or Remote Procedure Call (RPC) server technologies. Windows updates released starting September 2021 address a vulnerability in the DCOM remote protocol by progressively increasing security hardening in DCOM throughout 2022. This is a second reminder that some server environments might require action before June 14, 2022, to ensure normal operations.

When will this happen:

Refer to the below timeline to understand the progressive hardening coming to DCOM.
• June 8, 2021: Hardening changes disabled by default but with the ability to enable them using a registry key.
• June 14, 2022: Hardening changes enabled by default but with the ability to disable them using a registry key.
• March 14, 2023: Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

How this will affect your organization:

We recommended that IT administrators conduct testing by manually enabling hardening changes as soon as possible to confirm normal operations. A summary of the steps can be found in the section below. Please also refer to the links in the Additional Information section for more thorough guidance.

What you need to do to prepare:

During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:
• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
• Value Name: "RequireIntegrityActivationAuthenticationLevel"
• Type: dword
• Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.

Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.

If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.

Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.
• \MS-DCOM\: Distributed Component Object Model (DCOM) Remote Protocol | Microsoft Docs
• KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
• CVE-2021-26414: Windows DCOM Server Security Feature Bypass
View this message in the Microsoft 365 admin center
How is this going to concern Hmailserver users (if at all)?
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1775
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DCOM being hardended

Post by Dravion » 2022-05-11 15:14

Looks like the default Authentication level for DCOM server activation startups is increased. This could affect situations where hMailServer is correct installed but the Service is not started. Right now, the client (for example hMailAdmin) would trigger a hMailServer Service startup and exactly this mechanism could cause some sort of 08000x forbidden Error in the future.

But i fear this will not the only thing we have to worry.

palinka
Senior user
Senior user
Posts: 3480
Joined: 2017-09-12 17:57

Re: DCOM being hardended

Post by palinka » 2022-05-11 15:50

jimimaseye wrote:
2022-05-11 13:43
How is this going to concern Hmailserver users (if at all)?
Its only going to affect Soren. He's literally the only one that uses DCOM regularly. :lol:

User avatar
RvdH
Senior user
Senior user
Posts: 2026
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: DCOM being hardended

Post by RvdH » 2022-05-11 16:52

To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.
Monitor/check the evenlog for Message IDs 10036, 10037 and 10038. :lol:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply