Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
dasfliege
Service Provider
Posts: 183
Liked: 42 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

DCOM hardening on Windows Server June CU

Post by dasfliege »

We're scanning all our server if they are ready to get upgraded with the June cumulative update for Windows Server, as this CU contains a "fix" for a DCOM related vulnerability described here: https://support.microsoft.com/en-us/top ... ed901c769c

What we've found is, that servers that are backed up by veeam agent raise the following DCOM warning:
"The server-side authentication level policy does not allow the user domain\veeam-backup SID (S-1-5-21-2778164257-2245742617-1178902439-1604) from address x.x.x.x to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

Is veeam aware that installing this CU may could lead to problems? Is there anything we need to do, prior to install the CU?

dasfliege
Service Provider
Posts: 183
Liked: 42 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege » 1 person likes this post

Case #02680592

johan.h
Veeam Software
Posts: 678
Liked: 169 times
Joined: Jun 05, 2013 9:45 am
Full Name: Johan Huttenga
Contact:

Re: DCOM hardening on Windows Server June CU

Post by johan.h »

This has to do with RPC communication. This updates forces a specific Authentication Level. This is a staged change by Microsoft. You can bypass this by changing the RequireIntegrityActivationAuthenticationLevel key.

I believe this will be addressed in line with VBR v12.

kevlahau
Novice
Posts: 7
Liked: 2 times
Joined: Apr 02, 2020 12:59 am
Full Name: Kevin Woolard
Contact:

Re: DCOM hardening on Windows Server June CU

Post by kevlahau »

And this key would be under which hive?

Origin 2000
Service Provider
Posts: 29
Liked: 7 times
Joined: Sep 24, 2020 2:14 pm
Contact:

Re: DCOM hardening on Windows Server June CU

Post by Origin 2000 » 2 people like this post

Its HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat as described in the MS KB.

KoflerTx
Novice
Posts: 4
Liked: 1 time
Joined: Nov 22, 2016 12:51 pm
Full Name: Thomas K
Contact:

Re: DCOM hardening on Windows Server June CU

Post by KoflerTx » 1 person likes this post

Why does it take Veeam so long to fix it? The change was announced by Microsoft a year ago, now it went live, but with workaround available.
No word from Veeam about it and customers running against the wall?

dasfliege
Service Provider
Posts: 183
Liked: 42 times
Joined: Nov 17, 2014 1:48 pm
Location: Switzerland
Contact:

Re: DCOM hardening on Windows Server June CU

Post by dasfliege »

This is what i got from veeam support. So there seems to be no impact on backups even when the hardening is enabled.
But as the workaround will only be functional until march 23 and because it isn't that nice to have those false-positive events logged, i asked them to keep working on that "problem" and fix it. If Johan can confirm that it is on track for v12, then that may be well on time.

I've spoken to my colleagues and during their testing they haven't seen any issues happening with the backups. While the event still shows up in Event Viewer, there seems to be no functional issues due to it. In addition, we haven't seen any issues being reported by other customers who have went through with the update.

As far as we can see, the update doesn't seem to be causing issues with agent backups so it should be fairly safe to go through with it on any agent machines. If you run into any issues, you can also use the registry key provided in the KB in order to disable DCOM Hardening:

Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests