|
#Requires -RunAsAdmin |
|
|
|
<# |
|
.SYNOPSIS |
|
Help evaluation the DCOM hardening status introduced by KB5004442 |
|
|
|
.DESCRIPTION |
|
Help evaluation the DCOM hardening status introduced by KB5004442 |
|
|
|
.PARAMETER Enable |
|
Switch to modify the registry and enable explictly the RequireIntegrityActivationAuthenticationLevel value |
|
|
|
.PARAMETER OnlyShowLowAuthDcomApp |
|
Switch to only get the list of low Authentication DCOM Applications from the WMI repository |
|
|
|
.EXAMPLE |
|
|
|
.\DCOM-Hardening.ps1 -Verbose |
|
|
|
VERBOSE: Evaluating DCOM Hardening status |
|
VERBOSE: RequireIntegrityActivationAuthenticationLevel value is: 1 |
|
VERBOSE: Hardening is enabled explicitly |
|
VERBOSE: Value is already enabled for RequireIntegrityActivationAuthenticationLevel – no change is required |
|
VERBOSE: Hardening raise value not present |
|
VERBOSE: Hardening is enabled and raise value not present |
|
|
|
.EXAMPLE |
|
|
|
.\DCOM-Hardening.ps1 -Verbose -Enable |
|
|
|
VERBOSE: Require value changed to 1 successfully |
|
VERBOSE: Raise value RaiseActivationAuthenticationLevel deleted successfully |
|
|
|
.EXAMPLE |
|
|
|
.\DCOM-Hardening.ps1 -OnlyShowLowAuthDcomApp |
|
|
|
Caption AppID AuthenticationLevel |
|
——- —– ——————- |
|
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700} 2 |
|
UPnPContainer {6d8ff8e0-730d-11d4-bf42-00b0d0118b56} 0 |
|
UPnPContainer64 {6d8ff8e8-730d-11d4-bf42-00b0d0118b56} 0 |
|
AccStore Class {DE5DBCDC-104A-4cbc-A4D5-0C2104A142C5} 1 |
|
|
|
.NOTES |
|
|
|
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" |
|
|
|
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/dcom-authentication-hardening-what-you-need-to-know/ba-p/3657154 |
|
|
|
DCOM client-side patch on November 8, 2022 |
|
This update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum. |
|
With this change, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client. |
|
This update will be activated by default but can be deactivated by setting its registry key to 1. |
|
This patch is disabled by default for Windows 10, versions 1809 and 1607 and Windows Server 2016. |
|
To enable it, set the registry key value for RaiseActivationAuthenticationLevel to 2 |
|
|
|
Inspired from https://github.com/otoriocyber/DCOM-HardeningTool/blob/main/DisableDcomHardening.ps1 |
|
#> |
|
[CmdletBinding(DefaultParameterSetName='__AllParameterSets')] |
|
Param ( |
|
[Parameter(ParameterSetName='Set')] |
|
[Switch]$Enable, |
|
|
|
[Parameter(ParameterSetName='WMI')] |
|
[Switch]$OnlyShowLowAuthDcomApp |
|
) |
|
Begin { |
|
|
|
$RequireValueName ='RequireIntegrityActivationAuthenticationLevel' |
|
$RaiseValueName = 'RaiseActivationAuthenticationLevel' |
|
$HT = @{ |
|
Path = 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' |
|
ErrorAction = 'Stop' |
|
} |
|
} |
|
Process {} |
|
End { |
|
|
|
Switch ($PSCmdlet.ParameterSetName) { |
|
WMI { |
|
# Getting all low Authentication DCOM applications from WMI |
|
try { |
|
Get-CimInstance -Query 'SELECT * FROM Win32_DCOMApplicationSetting where AuthenticationLevel<5' -ErrorAction Stop -Verbose:$false| |
|
Select-Object -Property Caption, AppID, AuthenticationLevel |
|
} catch { |
|
Write-Warning -Message "Failed to read WMI because $($_.Exception.Message)" |
|
} |
|
break |
|
} |
|
Set { |
|
#region Enable |
|
try { |
|
# 1. Explicitly set Enable value |
|
$null = New-ItemProperty -Name $RequireValueName -Value 1 -Type DWord -Force @HT |
|
Write-Verbose -Message "Require value changed to 1 successfully" |
|
|
|
# 2. Remove Raise value |
|
$null = Remove-ItemProperty -Name $RaiseValueName -Force -ErrorAction SilentlyContinue -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' |
|
Write-Verbose -Message "Raise value $($RaiseValueName) deleted successfully" |
|
|
|
} catch { |
|
Write-Warning -Message "Failed to set value because $($_.Exception.Message)" |
|
} |
|
#endregion |
|
break |
|
} |
|
default { |
|
Write-Verbose -Message 'Evaluating DCOM Hardening status' |
|
|
|
#region RequireIntegrityActivationAuthenticationLevel |
|
try{ |
|
$result = (Get-ItemProperty @HT -Name $RequireValueName).($RequireValueName) |
|
} catch { |
|
Write-Warning -Message "Failed to read value $($RequireValueName) because $($_.Exception.Message)" |
|
} |
|
if ($result) { |
|
Write-Verbose -Message "$($RequireValueName) value is: $($result)" |
|
Switch ($result) { |
|
0 { |
|
Write-Verbose -Message 'Hardening is disabled explicitly, value is ignored' |
|
break |
|
} |
|
1 { |
|
Write-Verbose -Message 'Hardening is enabled explicitly' |
|
Write-Verbose -Message "Value is already enabled for $($RequireValueName) – no change is required" |
|
break |
|
} |
|
default { |
|
Write-Warning -Message "Unexpected result for $($RequireValueName) found $($result)" |
|
} |
|
} |
|
} else { |
|
Write-Verbose -Message 'Hardening value not present' |
|
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) { |
|
# Absent value means, hardening enabled by default |
|
Write-Verbose -Message 'Hardening is enabled with value not present' |
|
} |
|
} |
|
#endregion |
|
|
|
#region Raise |
|
$result = $null |
|
$result = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' -Name $RaiseValueName -ErrorAction SilentlyContinue).($RaiseValueName) |
|
if ($result) { |
|
Write-Verbose -Message "$($RaiseValueName) value is: $($result)" |
|
Switch ($result) { |
|
2 { |
|
Write-Verbose -Message 'Activation Authentication Level is raised' |
|
break |
|
} |
|
1 { |
|
Write-Verbose -Message 'Activation Authentication Level is Default' |
|
break |
|
} |
|
default { |
|
Write-Warning -Message "Unexpected raise value found $($result)" |
|
} |
|
} |
|
|
|
} else { |
|
Write-Verbose -Message 'Hardening raise value not present' |
|
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) { |
|
# Absent value means, hardening enabled by default |
|
Write-Verbose -Message 'Hardening is enabled and raise value not present' |
|
} |
|
} |
|
#endregion |
|
} |
|
} |
|
} |