Microsoft released updates in their advisory KB5004442, commonly known as DCOM Hardening, to address the CVE-2021-26414 vulnerabilities.
The updates were included in Windows Updates rolled out to affected operating systems on June 8, 2021. Still, it was optional to enable the change using a registry entry described in the advisory KB after Windows updates installed them.
Starting with Windows Updates on June 14, 2022, the hardened settings will be enabled by default with the option to disable them with a registry entry, requiring a system restart. There are risks to operational uptime increase for On Air systems that need to be appropriately prepared. Starting in March 2023, the DCOM hardening settings will be mandatory on supported operating systems, and you will not be able to turn them off.
What is DCOM?
DCOM, or Distributed COM, is a Microsoft technology built into Windows operating system computers. It is not something you add or install separately - it is automatically there and is used by many Windows applications, including Brio Video Server and Dalet Software when communicating with each other over network connections.
What Changes is Microsoft Making & Why?
This information is not a substitute for reading the full Microsoft's KB5004442 advisory.
Microsoft is making this change to increase the security of DCOM and thus patch the vulnerabilities described in CVE-2021-26414. The patches installed by Windows Update as described in their KB50004442 advisory change the minimum required security settings for remote procedure calls (RPC), impacting any application that uses RPC for inter-machine communications. DCOM is an RPC technology.
Specifically, the required DCOM "Authentication Level" is being changed and the operating system will enforce the higher security level, overriding what is configured in the Windows Component Services settings.
This can be confusing because you will experience the system operating differently than what you see in your DCOM config settings.
- DCOM Servers and, thus, BRIO Servers will reject connections with an authentication level of “None”, “Connect”, “Call” or “Packet”
- DCOM Clients (Brio Remote Clients, Dalet Agents) must be configured to use an authentication level of “Packet Integrity” or “Packet Privacy”.
(Alternatively If configured as “Default”, the system Default Authentication Level in Component Services -> My Computer -> Properties, must be set to Packet Integrity or Packet Privacy and match what the target Brio Video Server/Dalet Server computer is using.
What changes should I make top be ready or mitigate the issues?
As Brio/Dalet Galaxy Servers applications respect Component Services Default DCOM settings,
You should perform on BOTH your Brio/Dalet Servers make the following changes which will set the DEFAULT DCOM authentication level to what is required by advisory KB5004442.
- Launch Component Services
- Go to Component Services -> Computers -> My Computer and right click on My Computer and select Properties.
- On the Default Properties tab, change the Default Authentication Level to “Packet Integrity” or “Packet Privacy” Whatever you choose must be the SAME on the Brio Server AND Dalet Galaxy/Pyramid server computer. (Dalet’s standard recommendation at this time is Packet Integrity)
These changes at a MINIMUM will require you to restart your Brio/Dalet server applications, though
Dalet recommend a machine restart to ensure that the changes take effect.
You should expect to see the following new Events in the Windows Event Log while the above was not performed or performed incorrectly:
Server Side - Event 10036
"The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."
(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address)
Client Side - Event 10037
"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."
Client Side - Event 10038
"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."
(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level)
You can also set it via Group Policy Objects (GPO):
Comments
2 comments
Hi KM team,
Could you please add the comment below?
---
You can set it via GPO:
Thanks,
Rémi Marchand, done
Please sign in to leave a comment.