-
-
Save p0w3rsh3ll/310c5a44333be8ab71fd9f7ded67bbf0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -RunAsAdmin | |
<# | |
.SYNOPSIS | |
Help evaluation the DCOM hardening status introduced by KB5004442 | |
.DESCRIPTION | |
Help evaluation the DCOM hardening status introduced by KB5004442 | |
.PARAMETER Enable | |
Switch to modify the registry and enable explictly the RequireIntegrityActivationAuthenticationLevel value | |
.PARAMETER OnlyShowLowAuthDcomApp | |
Switch to only get the list of low Authentication DCOM Applications from the WMI repository | |
.EXAMPLE | |
.\DCOM-Hardening.ps1 -Verbose | |
VERBOSE: Evaluating DCOM Hardening status | |
VERBOSE: RequireIntegrityActivationAuthenticationLevel value is: 1 | |
VERBOSE: Hardening is enabled explicitly | |
VERBOSE: Value is already enabled for RequireIntegrityActivationAuthenticationLevel - no change is required | |
VERBOSE: Hardening raise value not present | |
VERBOSE: Hardening is enabled and raise value not present | |
.EXAMPLE | |
.\DCOM-Hardening.ps1 -Verbose -Enable | |
VERBOSE: Require value changed to 1 successfully | |
VERBOSE: Raise value RaiseActivationAuthenticationLevel deleted successfully | |
.EXAMPLE | |
.\DCOM-Hardening.ps1 -OnlyShowLowAuthDcomApp | |
Caption AppID AuthenticationLevel | |
------- ----- ------------------- | |
{42CBFAA7-A4A7-47BB-B422-BD10E9D02700} 2 | |
UPnPContainer {6d8ff8e0-730d-11d4-bf42-00b0d0118b56} 0 | |
UPnPContainer64 {6d8ff8e8-730d-11d4-bf42-00b0d0118b56} 0 | |
AccStore Class {DE5DBCDC-104A-4cbc-A4D5-0C2104A142C5} 1 | |
.NOTES | |
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c" | |
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/dcom-authentication-hardening-what-you-need-to-know/ba-p/3657154 | |
DCOM client-side patch on November 8, 2022 | |
This update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum. | |
With this change, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client. | |
This update will be activated by default but can be deactivated by setting its registry key to 1. | |
This patch is disabled by default for Windows 10, versions 1809 and 1607 and Windows Server 2016. | |
To enable it, set the registry key value for RaiseActivationAuthenticationLevel to 2 | |
Inspired from https://github.com/otoriocyber/DCOM-HardeningTool/blob/main/DisableDcomHardening.ps1 | |
#> | |
[CmdletBinding(DefaultParameterSetName='__AllParameterSets')] | |
Param ( | |
[Parameter(ParameterSetName='Set')] | |
[Switch]$Enable, | |
[Parameter(ParameterSetName='WMI')] | |
[Switch]$OnlyShowLowAuthDcomApp | |
) | |
Begin { | |
$RequireValueName ='RequireIntegrityActivationAuthenticationLevel' | |
$RaiseValueName = 'RaiseActivationAuthenticationLevel' | |
$HT = @{ | |
Path = 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' | |
ErrorAction = 'Stop' | |
} | |
} | |
Process {} | |
End { | |
Switch ($PSCmdlet.ParameterSetName) { | |
WMI { | |
# Getting all low Authentication DCOM applications from WMI | |
try { | |
Get-CimInstance -Query 'SELECT * FROM Win32_DCOMApplicationSetting where AuthenticationLevel<5' -ErrorAction Stop -Verbose:$false| | |
Select-Object -Property Caption, AppID, AuthenticationLevel | |
} catch { | |
Write-Warning -Message "Failed to read WMI because $($_.Exception.Message)" | |
} | |
break | |
} | |
Set { | |
#region Enable | |
try { | |
# 1. Explicitly set Enable value | |
$null = New-ItemProperty -Name $RequireValueName -Value 1 -Type DWord -Force @HT | |
Write-Verbose -Message "Require value changed to 1 successfully" | |
# 2. Remove Raise value | |
$null = Remove-ItemProperty -Name $RaiseValueName -Force -ErrorAction SilentlyContinue -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' | |
Write-Verbose -Message "Raise value $($RaiseValueName) deleted successfully" | |
} catch { | |
Write-Warning -Message "Failed to set value because $($_.Exception.Message)" | |
} | |
#endregion | |
break | |
} | |
default { | |
Write-Verbose -Message 'Evaluating DCOM Hardening status' | |
#region RequireIntegrityActivationAuthenticationLevel | |
try{ | |
$result = (Get-ItemProperty @HT -Name $RequireValueName).($RequireValueName) | |
} catch { | |
Write-Warning -Message "Failed to read value $($RequireValueName) because $($_.Exception.Message)" | |
} | |
if ($result) { | |
Write-Verbose -Message "$($RequireValueName) value is: $($result)" | |
Switch ($result) { | |
0 { | |
Write-Verbose -Message 'Hardening is disabled explicitly, value is ignored' | |
break | |
} | |
1 { | |
Write-Verbose -Message 'Hardening is enabled explicitly' | |
Write-Verbose -Message "Value is already enabled for $($RequireValueName) - no change is required" | |
break | |
} | |
default { | |
Write-Warning -Message "Unexpected result for $($RequireValueName) found $($result)" | |
} | |
} | |
} else { | |
Write-Verbose -Message 'Hardening value not present' | |
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) { | |
# Absent value means, hardening enabled by default | |
Write-Verbose -Message 'Hardening is enabled with value not present' | |
} | |
} | |
#endregion | |
#region Raise | |
$result = $null | |
$result = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Ole\AppCompat' -Name $RaiseValueName -ErrorAction SilentlyContinue).($RaiseValueName) | |
if ($result) { | |
Write-Verbose -Message "$($RaiseValueName) value is: $($result)" | |
Switch ($result) { | |
2 { | |
Write-Verbose -Message 'Activation Authentication Level is raised' | |
break | |
} | |
1 { | |
Write-Verbose -Message 'Activation Authentication Level is Default' | |
break | |
} | |
default { | |
Write-Warning -Message "Unexpected raise value found $($result)" | |
} | |
} | |
} else { | |
Write-Verbose -Message 'Hardening raise value not present' | |
if ((Get-Date) -gt (Get-Date -Year 2023 -Month 3 -Day 14)) { | |
# Absent value means, hardening enabled by default | |
Write-Verbose -Message 'Hardening is enabled and raise value not present' | |
} | |
} | |
#endregion | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment