This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Workaround for KB5004442/CVE-2021-26414
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-13-2021 09:33 PM
Microsoft has some upcoming changes to enforce RPC authentication and signing. This can be enabled right now with RequireIntegrityActivationAuthenticationLevel=1, and this is currently expected to become the default setting within the next couple of patch cycles. Currently, this breaks Lansweeper's agentless scanning when enabled, and Lansweeper's guidance is to set it to 0 - a solution that decreases security and won't be an option past early 2022.
I've found another workaround by setting HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel=6. This takes effect immediately, and changes outbound RPC to attempt connection with packet privacy unless the calling application explicitly requests a different authentication level. With this set, Lansweeper can scan systems with RequireIntegrityActivationAuthenticationLevel=1 successfully. This may also solve issues with other RPC-driven applications that could break with Microsoft's upcoming change; apps which aren't as well maintained as Lansweeper.
I am still reviewing the impact of DefaultAuthLevel=6 in a lab environment for other potential issues, but thus far it appears to be OK in a simple single-domain environment. I would expect both DefaultAuthLevel=6 and RequireIntegrityActivationAuthenticationLevel=1 to have a higher probability of causing misbehaviours in more complex, multi-domain environments with apps that plumb deeply into domain authentication (ie: on-premises SharePoint). On a server dedicated to Lansweeper alone, DefaultAuthLevel=6 appears quite safe to set. Given that DefaultAuthLevel doesn't require a reboot to take effect (whereas RequireIntegrityActivationAuthenticationLevel does), reverting it is also simple.
One mild challenge is that HKLM\SOFTWARE\Microsoft\Rpc\SecurityService is write-locked to TrustedInstaller, so a permissions change is required to modify the registry. PowerShell can do this, but it does require a fairly lengthy script. For brevity, this is the classic cmd/batch syntax to go with Helge Klein's SetACL utility:
** Replace Administrators with SYSTEM or another appropriate identity for the context your script is running in.
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
https://www.lansweeper.com/knowledgebase/the-rpc-server-is-unavailable/
https://helgeklein.com/setacl/
I've found another workaround by setting HKLM\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel=6. This takes effect immediately, and changes outbound RPC to attempt connection with packet privacy unless the calling application explicitly requests a different authentication level. With this set, Lansweeper can scan systems with RequireIntegrityActivationAuthenticationLevel=1 successfully. This may also solve issues with other RPC-driven applications that could break with Microsoft's upcoming change; apps which aren't as well maintained as Lansweeper.
I am still reviewing the impact of DefaultAuthLevel=6 in a lab environment for other potential issues, but thus far it appears to be OK in a simple single-domain environment. I would expect both DefaultAuthLevel=6 and RequireIntegrityActivationAuthenticationLevel=1 to have a higher probability of causing misbehaviours in more complex, multi-domain environments with apps that plumb deeply into domain authentication (ie: on-premises SharePoint). On a server dedicated to Lansweeper alone, DefaultAuthLevel=6 appears quite safe to set. Given that DefaultAuthLevel doesn't require a reboot to take effect (whereas RequireIntegrityActivationAuthenticationLevel does), reverting it is also simple.
One mild challenge is that HKLM\SOFTWARE\Microsoft\Rpc\SecurityService is write-locked to TrustedInstaller, so a permissions change is required to modify the registry. PowerShell can do this, but it does require a fairly lengthy script. For brevity, this is the classic cmd/batch syntax to go with Helge Klein's SetACL utility:
SetACL64 -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService" -ot reg -actn setowner -ownr "n:Administrators" -silent -ignoreerr
SetACL64 -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService" -ot reg -actn ace -ace "n:Administrators;p:Full;m:Grant" -silent -ignoreerr
reg add "HKLM\SOFTWARE\Microsoft\Rpc\SecurityService" /v DefaultAuthLevel /t REG_DWORD /d 6 /f
** Replace Administrators with SYSTEM or another appropriate identity for the context your script is running in.
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
https://www.lansweeper.com/knowledgebase/the-rpc-server-is-unavailable/
https://helgeklein.com/setacl/
Labels:
- Labels:
-
General Discussion
0 REPLIES 0
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Integrations with MDM Solutions in Product Discussions
- Lansweeper Classic Installation Requirements in Product Discussions
- Workaround for LS bug: Clean Orphaned AD Objects in Reports & Analytics
- Report Request: How long did it take a user to login? in Reports & Analytics
- Deploying Lansweeper in AWS Using An RDS Database Guide in Product Discussions
