• State Verified Answer
  • Replies 3 replies
  • Subscribers 63 subscribers
  • Views 1466 views
  • Users 0 members are here
Options
Related

Active Roles 6.9 MMC Console DCOM Hardening - is there an update available?

stephen rayment
over 1 year ago

Is there an update or patch available for the ARS MMC console that overcomes the DCOM hardening Microsoft updates? We have a legacy setup as well as a 7.x setup where the MMC console works fine, so just trying to keep the 6.9 environment running for a while longer.

Thanks

  • 0 over 1 year ago

    ActiveRoles Server 6.9 has been End of Life for many years. It is not recommended in any production environment. It was not tested with any modern Microsoft technologies and is not expected to work with any of them. There are no hotfixes available for ActiveRoles Server 6.9 to address any of the Microsoft changes made since that version reached End of Life status.

  • 0 over 1 year ago in reply to Terrance.Crombie

    Thank you for such a comprehensive reply. That answers my question.

  • 0 over 1 year ago

    If you are experiencting this issue with you v6.9 environment. You can override the changes to DCOM temporarily until they are no longer optional on March 14, 2023. So you can limp along a little longer on v6.9. I tested this and it worked for us.

    Managing changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

     

    FAQ

    According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

    This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

    Do I need to take further steps to be protected from this vulnerability?

    Yes. The security updates released on June 8, 2021 enable RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM clients by default and provide full protection after manually setting RequireIntegrityActivationAuthenticationLevel = 1 on DCOM servers using the steps in Managing changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). Note that a reboot is required after making any changes to the RequireIntegrityActivationAuthenticationLevel registry key. Microsoft recommends enabling full protection as soon as possible to identify any OS and application intermobility issues between Windows and non-Windows operating systems and applications.

    With the June 14, 2022 security updates, RPC_C_AUTHN_LEVEL_PKT_INTEGRITY on DCOM servers is now enabled by default. Customer who need to do so can still disable it by using the RequireIntegrityActivationAuthenticationLevel registry key.

    If I install the updates and take no further action, what will be the impact?

    Installing the security updates released on June 8, 2021 enables client side protections in a pure Windows environment but does not provide any protection in environments with non-Windows DCOM client. Organizations will need to identify and mitigate any interop issues between Windows and non-Windows operating systems and applications before the third phase, when the hardening on DCOM servers is enabled by default and will no longer have the ability to be disabled.

    Installing the security updates released on June 14, 2022 enables the registry key by default so that DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

    How does Microsoft plan to address this vulnerability?

    Microsoft is addressing this vulnerability in a phased rollout. The initial deployment phase starts with the Windows updates released on June 8, 2021. The updates will enable customers to verify that any client/server applications in their environment work as expected with the hardening changes enabled.

    The second phase, planned for an June 14, 2022, programmatically enables the hardening on DCOM servers by default that can be disabled via the RequireIntegrityActivationAuthenticationLevel registry key if necessary.

    The third phase, planned for March 14, 2023, enables the hardening on DCOM servers by default and will no longer have the ability to be disabled. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

    Are there system events available that will help me identify the client devices that will be impacted by the change?

    Yes. See the New DCOM error events section of Managing changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). While the first security updates to address this vulnerability were released on June 2021, we recommend that you install the updates released on September 2021 to enable DCOM event logs that were added with those updates.