Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
dasfliege
Service Provider
Posts: 183
Liked: 43 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

DCOM hardening on Windows Server June CU

Post by dasfliege »

We're scanning all our server if they are ready to get upgraded with the June cumulative update for Windows Server, as this CU contains a "fix" for a DCOM related vulnerability described here: https://support.microsoft.com/en-us/top ... ed901c769c

What we've found is, that servers that are backed up by veeam agent raise the following DCOM warning:
"The server-side authentication level policy does not allow the user domain\veeam-backup SID (S-1-5-21-2778164257-2245742617-1178902439-1604) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

Is veeam aware that installing this CU may could lead to problems? Is there anything we need to do, prior to install the CU?

dasfliege
Service Provider
Posts: 183
Liked: 43 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege » 1 person likes this post

Case #02680592

johan.h
Veeam Software
Posts: 685
Liked: 170 times
Joined: Jun 05, 2013 9:45 am
Full Name: Johan Huttenga
Contact:

Re: DCOM hardening on Windows Server June CU

Post by johan.h »

This has to do with RPC communication. This updates forces a specific Authentication Level. This is a staged change by Microsoft. You can bypass this by changing the RequireIntegrityActivationAuthenticationLevel key.

I believe this will be addressed in line with VBR v12.

kevlahau
Novice
Posts: 7
Liked: 2 times
Joined: Apr 02, 2020 12:59 am
Full Name: Kevin Woolard
Contact:

Re: DCOM hardening on Windows Server June CU

Post by kevlahau »

And this key would be under which hive?

Origin 2000
Service Provider
Posts: 31
Liked: 8 times
Joined: Sep 24, 2020 2:14 pm
Contact:

Re: DCOM hardening on Windows Server June CU

Post by Origin 2000 » 2 people like this post

Its HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat as described in the MS KB.

KoflerTx
Novice
Posts: 4
Liked: 1 time
Joined: Nov 22, 2016 12:51 pm
Full Name: Thomas K
Contact:

Re: DCOM hardening on Windows Server June CU

Post by KoflerTx » 1 person likes this post

Why does it take Veeam so long to fix it? The change was announced by Microsoft a year ago, now it went live, but with workaround available.
No word from Veeam about it and customers running against the wall?

dasfliege
Service Provider
Posts: 183
Liked: 43 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege »

This is what i got from veeam support. So there seems to be no impact on backups even when the hardening is enabled.
But as the workaround will only be functional until march 23 and because it isn't that nice to have those false-positive events logged, i asked them to keep working on that "problem" and fix it. If Johan can confirm that it is on track for v12, then that may be well on time.

I've spoken to my colleagues and during their testing they haven't seen any issues happening with the backups. While the event still shows up in Event Viewer, there seems to be no functional issues due to it. In addition, we haven't seen any issues being reported by other customers who have went through with the update.

As far as we can see, the update doesn't seem to be causing issues with agent backups so it should be fairly safe to go through with it on any agent machines. If you run into any issues, you can also use the registry key provided in the KB in order to disable DCOM Hardening:

ktsaved
Novice
Posts: 3
Liked: never
Joined: Nov 24, 2017 4:08 pm
Full Name: Ken Truman
Contact:

Re: DCOM hardening on Windows Server June CU - causing issues

Post by ktsaved »

Upgraded the server Veeam is installed on to 2019 Std from 2012R2.
Immediately after this got errors that Veeam could not access the hosts to backup the VMs on them.

Applied the registry fix listed to the host with VMs to be backed up, rebooted the host then access was restored.

The hosts are 2012R2. No events were raised in Event Viewer.

Veeam will you be applying a solution for this as this registry change has no effect after March 2023?

Dima P.
Product Manager
Posts: 13586
Liked: 1332 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: DCOM hardening on Windows Server June CU

Post by Dima P. »

Ken,

Can you please raise a support case and share the case ID with us?
Immediately after this got errors that Veeam could not access the hosts to backup the VMs on them.
Can you please also share the error text you got? Thank you in advance!

Post Reply

Who is online

Users browsing this forum: mcz and 23 guests