Installing Microsoft's June 8th 2021 security patches related to CVE-2021-26414 is generating errors on Domain Controllers.
Symptom
When Microsoft's June 8th 2021 security patches related to CVE-2021-26414 are installed on Windows servers hosting the Domain Controller(s), the following system errors are seen in the Event Logs on the Domain controller(s) every 2 seconds.
The server-side authentication level policy does not allow the user <username> from address <FW IP> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
Environment
PAN-OS Firewall
Windows Server hosting the Domain Controller(s)
WMI transport Protocol for Server Monitoring
Cause
On June 8th 2021, Microsoft released a set of patches in response to CVE-2021-26414 as part of its monthly patch release. To address the vulnerability described in CVE-2021-26414, customers must install updates released on June 8, 2021 and enable the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat” as per the instructions in KB5004442.
Enabling this registry key will make RPC servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher. As a result of these hardening changes, the following system errors are seen on Domain Controller(s) every 2 seconds.
The server-side authentication level policy does not allow the user <username> from address <FW IP> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application
Here is a timeline of the hardening changes as described in Microsoft KB5004442: as described in Microsoft KB5004442:|
|
|
|
|
|
|
|
|
|
|
|
Resolution
You can resolve this issue using one of the following workarounds:
Option 1: Rollback the Microsoft patch
Rolling back June 8th security patches on the Windows server hosting the Domain controller(s) resolves this issue. If this is not an option for you, consider one of the options listed below.
Option 2: Disable the registry key
In order to resolve this issue, you can disable the registry key RequireIntegrityActivationAuthenticationLevel on the Windows server hosting the Domain Controller(s). If this is not an option for you, consider one of the remaining options listed below.
- Path : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
- Value Name: "RequireIntegrityActivationAuthenticationLevel"
- Type: dword
- Value Data: 0x00000000 means disabled.
Note: You must enter Value Data in hexadecimal format. You must restart your device after setting this registry key for it to take effect.
Starting from 14 March 2023, hardening changes in DCOM will be enabled by default and customers will NOT have the ability to disable the registry key. So, disabling the registry key is only a temporary workaround. You should consider implementing either option 3 or 4 before March 2023.
Option 3: Switch to WinRM transport protocol (Firewall should be running PAN-OS 9.0 and above version).
Starting from PAN-OS 9.0, customers have the option to either use WMI or WinRM as the transport protocol for reading security log events from Domain Controller(s).
System errors are seen ONLY when using WMI as transport protocol on PAN-OS firewalls. These errors are NOT seen when using WinRM transport protocol.
If your firewall is running PAN-OS 9.0 version and above, you can switch the transport protocol to use WinRM to resolve this issue. WinRM transport protocol is also the Palo Alto Networks recommended transport protocol for monitoring Domain Controller(s).
(There is no loss of User-ID functionality when using WinRM instead of WMI, WinRM protocol is more efficient than WMI, and improves the performance and scalability of User-ID monitoring. WinRM protocol is more efficient than WMI, and improves the performance and scalability of User-ID monitoring. WinRM can help to reduce firewall CPU and memory utilization, as well as improve the speed at which IP-user mappings are fetched from monitored servers. Refer to this link for instructions on how to Configure Server Monitoring using WinRM protocol).
If you have multiple Domain Controllers, you can either switch the transport protocol from WMI to WinRM on ALL Domain Controllers at once or change the transport protocol on one Domain Controller at a time. Please ensure that the dedicated service account has the required permissions as outlined in the document to use both WMI and WinRM transport protocols.
For firewall deployments running PAN-OS 8.1 and earlier versions, Palo Alto Network’s recommendation is to upgrade your firewall to 9.0+ version to take advantage of the benefits of using the WinRM transport protocol. Please note that both PAN-OS 8.1 and 9.0 versions will reach End of Life on March 1st 2022.
Option 4: Switch to Windows based User-ID agent.
If you cannot use any of the above 3 options, then you can switch to Windows based User-ID agent to resolve this issue. For more information on how to configure Windows based User-ID agent for User mapping, please refer to this link.
(Note: Firewalls running in FIPS-CC mode do not have the ability to use WinRM Transport Protocol. This limits the number of ways that an organization can mitigate the challenge caused by the Microsoft update to WMI Transport Protocol as recorded in our KB published here. If your firewalls are running in FIPS-CC mode, you can either switch to the Windows based User-ID agent or a new method of IP-User mapping collection).