Microsoft DCOM Hardening Recommendation

Updated on December 23, 2022:

On September 12, 2022, we announced critical security changes concerning the Windows Distributed Component Object Model (DCOM), as known as "DCOM Hardening". To learn more, see this Microsoft article about CVE-2021-26414.

Since our previous message, Microsoft has published an additional Windows "DCOM client-side" patch on November 8, 2022 in response to feedback from customers. This patch eliminates the need for users of DCOM applications to deploy application specific patches to mitigate the effects of the DCOM hardening.

Our engineering teams have analyzed this additional patch and tested Meridian functionality in combination with it. This analysis and testing have shown that this DCOM client-side patch performs the same function as the Meridian patches we were preparing, namely raising the authentication level of DCOM requests made by the Meridian clients.

Based on this result, we inform that, with this additional Windows patch in place, patching of Meridian is no longer required to continue operations when the DCOM hardening (which becomes mandatory on March 14, 2023) takes effect.

Note:

The following error is related to this article: Error: Unable to connect to server on computer [MeridianServerHostName]. Access is denied.

Install the Windows Patch

Note:

The Meridian PowerWeb IIS application and the Enterprise Server are clients of the EDM Server, and the EDM Server is a client of the license server.

To ensure continued operation of Meridian:

Install the Windows patch on all machines which, in terms of a DCOM connection, are clients of the Meridian EDM Server or the Meridian License Server.
In addition to all workstations running Meridian clients, install this patch on the servers hosting the mentioned components.

You do not need to explicitly configure any registry keys to control the Windows DCOM client-side patch. The default installation will allow Meridian clients to continue working when the hardening takes effect.
If you set the RaiseActivationAuthenticationLevel registry key related to this patch, set its value to 2.

The Windows DCOM client-side patch works for all Meridian clients of all versions of Meridian Server.

Test the Windows Patch

If you want to test the functioning of this patch:

Make sure the Windows patch of June 14, 2022 is installed on the machines hosting the EDM Server and the License Server.
On these machines, set the RequireIntegrityActivationAuthenticationLevel registry key to 1.
Make sure the Windows DCOM client-side patch of November 8, 2022 is installed on server and client machines.
On these machines, either omit the RaiseActivationAuthenticationLevel registry key or set its value to 2.
After installing the patch or changing one of the mentioned registry keys, restart the machine.
To test connectivity of the client to the EDM Server and License Server, open a Vault.

If you need assistance, use the following guidance to contact us:

For Direct Meridian Customers: utilize the Customer Support Portal to log a product support ticket. If you are serviced by one of our Meridian Partners, reach out directly to them for support.
For Meridian Partners: communicate this information to your customers. If you have any questions, reach the Meridian Support team by logging a case via Partner Portal.

Deprecated Instructions

Updated on October 7, 2022:

This article is applicable to customers and partners of organizations that received an email with the following subject: Urgent Action Required: Microsoft DCOM Hardening Recommendation. This email informs about Windows DCOM (Distributed Component Object Model) changes and their impact on Meridian.

The on-premises installations of the Accruent Meridian application(s) use the Windows DCOM protocol to facilitate the communication between the client and the server, and between Meridian Services. Microsoft has introduced critical security DCOM authentication changes which will go into effect from March 14, 2023.

Important!

To ensure that your Meridian application(s) remain working as expected after March 14th, 2023, and that your users do not experience any downtime, action can be required. In addition to the security patches provided by Microsoft, your Meridian application(s) might require further patches or upgrades to continue to function as expected.
This article is constantly being updated, particularly regarding PowerUser patches. We recommend constantly verifying the information applicable to your Meridian Enterprise version.

For more information about the Windows Distributed Component Object Model (DCOM) protocol, see KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).

Required Actions

Update or patch your Meridian application(s) in accordance with Microsoft latest security patches for DCOM and our recommendations below. The table below shows what action to take based on your Meridian version to comply with the latest security standard for DCOM. If any action is required, as the process can be time-consuming, it should not be delayed.

June 14, 2022 was the first instance in which the hardening changes could be automatically enabled by default. Even if you have not been affected by this change so far, we recommend you act with urgency. The most appropriate course of action if you are not on a 2022 version of Meridian, is that your Information Technology department(s) disable the hardening changes via a registry key, which is explained bellow.

Note:

Meridian 2019 and older versions require special attention.

Dates and actions to be taken according to your Meridian version:

Meridian Versions
Microsoft Security Patches for DCOM	Any versions before 2019 R2	2019 R2, all 2020 versions, and all 2021 versions	2022 or newer
June 8, 2021	No action is required	No action is required	No action is required
June 14, 2022	Apply registry key ¹	Apply registry key ¹	No action is required
March 14, 2023	Take urgent action to upgrade to 2022 or newer ²	Take urgent action ³	No action is required

As this registry value does not exist by default, you must create it, according to the information below. Windows will read it if it exists and will not overwrite it.

Enabling this registry key below will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

Enter Value Data in hexadecimal format.

Registry key information:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat

Value Name: "RequireIntegrityActivationAuthenticationLevel"

Type: dword

Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.

Important!
You must restart your device after setting this registry key for it to take effect.

To learn more, see KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).
We recommend upgrading Meridian installations before 2019 R2 to the latest released version , or to a version with a supported update for DCOM (2019 R2 onwards) so you can apply the final Microsoft patch on March 14, 2023.
When using one of the following versions of Meridian: 2019 R2, any 2020 version, or any 2021 version, we recommend that you upgrade to the latest released version of Meridian. Should you choose not to upgrade, patches for Meridian are available to enable you to apply the final Microsoft patch on March 14, 2023.

If you have any concern or questions about the patch installation, open a case with Meridian Support, with the subject: Microsoft DCOM Question, with Severity 3.

Microsoft DCOM Hardening Recommendation

Install the Windows Patch

Test the Windows Patch

Deprecated Instructions

Required Actions

DCOM Patching Process for Each Meridian Version

Meridian 2019 R2

PowerWeb

PowerUser

Meridian 2020

PowerWeb

PowerUser

Meridian 2020 R2

PowerWeb

PowerUser

Meridian 2021

PowerWeb

PowerUser

Meridian 2021 R2

PowerWeb

PowerUser

Meridian 2021 R3

PowerWeb

PowerUser

Meridian 2022