Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
dasfliege
Service Provider
Posts: 322
Liked: 69 times
Joined: Nov 17, 2014 1:48 pm
Full Name: Florin
Location: Switzerland
Contact:

DCOM hardening on Windows Server June CU

Post by dasfliege »

We're scanning all our server if they are ready to get upgraded with the June cumulative update for Windows Server, as this CU contains a "fix" for a DCOM related vulnerability described here: https://support.microsoft.com/en-us/top ... ed901c769c

What we've found is, that servers that are backed up by veeam agent raise the following DCOM warning:
"The server-side authentication level policy does not allow the user domain\veeam-backup SID (S-1-5-21-2778164257-2245742617-1178902439-1604) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

Is veeam aware that installing this CU may could lead to problems? Is there anything we need to do, prior to install the CU?
dasfliege
Service Provider
Posts: 322
Liked: 69 times
Joined: Nov 17, 2014 1:48 pm
Full Name: Florin
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege » 1 person likes this post

Case #02680592
johan.h
Veeam Software
Posts: 746
Liked: 206 times
Joined: Jun 05, 2013 9:45 am
Full Name: Johan Huttenga
Contact:

Re: DCOM hardening on Windows Server June CU

Post by johan.h »

This has to do with RPC communication. This updates forces a specific Authentication Level. This is a staged change by Microsoft. You can bypass this by changing the RequireIntegrityActivationAuthenticationLevel key.

I believe this will be addressed in line with VBR v12.
kevlahau
Influencer
Posts: 20
Liked: 7 times
Joined: Apr 02, 2020 12:59 am
Full Name: Kevin Woolard
Contact:

Re: DCOM hardening on Windows Server June CU

Post by kevlahau »

And this key would be under which hive?
Origin 2000
Service Provider
Posts: 102
Liked: 25 times
Joined: Sep 24, 2020 2:14 pm
Contact:

Re: DCOM hardening on Windows Server June CU

Post by Origin 2000 » 2 people like this post

Its HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat as described in the MS KB.
KoflerTx
Influencer
Posts: 13
Liked: 2 times
Joined: Nov 22, 2016 12:51 pm
Full Name: Thomas K
Contact:

Re: DCOM hardening on Windows Server June CU

Post by KoflerTx » 1 person likes this post

Why does it take Veeam so long to fix it? The change was announced by Microsoft a year ago, now it went live, but with workaround available.
No word from Veeam about it and customers running against the wall?
dasfliege
Service Provider
Posts: 322
Liked: 69 times
Joined: Nov 17, 2014 1:48 pm
Full Name: Florin
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege »

This is what i got from veeam support. So there seems to be no impact on backups even when the hardening is enabled.
But as the workaround will only be functional until march 23 and because it isn't that nice to have those false-positive events logged, i asked them to keep working on that "problem" and fix it. If Johan can confirm that it is on track for v12, then that may be well on time.

I've spoken to my colleagues and during their testing they haven't seen any issues happening with the backups. While the event still shows up in Event Viewer, there seems to be no functional issues due to it. In addition, we haven't seen any issues being reported by other customers who have went through with the update.

As far as we can see, the update doesn't seem to be causing issues with agent backups so it should be fairly safe to go through with it on any agent machines. If you run into any issues, you can also use the registry key provided in the KB in order to disable DCOM Hardening:
ktsaved
Novice
Posts: 3
Liked: never
Joined: Nov 24, 2017 4:08 pm
Full Name: Ken Truman
Contact:

Re: DCOM hardening on Windows Server June CU - causing issues

Post by ktsaved »

Upgraded the server Veeam is installed on to 2019 Std from 2012R2.
Immediately after this got errors that Veeam could not access the hosts to backup the VMs on them.

Applied the registry fix listed to the host with VMs to be backed up, rebooted the host then access was restored.

The hosts are 2012R2. No events were raised in Event Viewer.

Veeam will you be applying a solution for this as this registry change has no effect after March 2023?
Dima P.
Product Manager
Posts: 14945
Liked: 1833 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: DCOM hardening on Windows Server June CU

Post by Dima P. »

Ken,

Can you please raise a support case and share the case ID with us?
Immediately after this got errors that Veeam could not access the hosts to backup the VMs on them.
Can you please also share the error text you got? Thank you in advance!
_james
Enthusiast
Posts: 34
Liked: 6 times
Joined: Nov 15, 2018 3:51 pm
Contact:

Re: DCOM hardening on Windows Server June CU

Post by _james »

Are there any news when a patch from Veeam could be expected?

For us Veeam One is no longer able to connect to Veeam VM; unfortunately for security reasons we cannot make a registry key change.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: DCOM hardening on Windows Server June CU

Post by HannesK » 1 person likes this post

Hello,
https://www.veeam.com/kb4376 - the software is already compatible. If you see problems, then it is caused by Windows.

Best regards,
Hannes
_james
Enthusiast
Posts: 34
Liked: 6 times
Joined: Nov 15, 2018 3:51 pm
Contact:

Re: DCOM hardening on Windows Server June CU

Post by _james » 1 person likes this post

Hello Hannes, thank you for the swift reply. You are correct, after updating our systems all Veeam components are able to communicate with each other again.
masonit
Service Provider
Posts: 327
Liked: 23 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Maso
Contact:

Re: DCOM hardening on Windows Server June CU

Post by masonit »

Hi!

Ran into this issue (https://www.veeam.com/kb4376) when trying to add a new hyper-v to one of our vbr. The hyper-v server has the lastest available updates (June 14, 2022 Hardening changes are enabled by default but with the ability to disable them using a registry key) with hardenend enabled. I know there is a workaround but that is not an option. If we would update vbr to same version then it should work fine to a add this hyper-v host. But could other things in the vbr environment stopp working then? Let's say that the vbr is updated but the proxy servers are not. What happens then? Or is it only communication to hyper-v that is affected?

Our hyper-v backup jobs are using "On-host backup" as proxy so that should be fine. But the repository is on a windows server. Does that Windows server also need this update? I understand that it is best to just update all Windows servers. But I try to understand what could happen if some are updated and some are not updated in the vbr environment..

\Maso
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: DCOM hardening on Windows Server June CU

Post by HannesK »

Hello,
I understand that it is best to just update all Windows servers
Great 👍 Please install the security updates on all involved components. We don't test all possible bad practice combinations ;-)

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests