KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)

If you’re looking for an official response from LM, it has to be through a support ticket. There is only one person at LM who has the community as her day-job, and she’s not in support.

@Manog1978  Have you tried https://www.logicmonitor.com/support/monitoring/os-virtualization/troubleshooting-wmi#error10036-wmi-vulnerabilities?

We are currently experiencing an issue relating to this KB.

There are several Event Logs coming in with the following message:
Message: The server-side authentication level policy does not allow the user <domain>\<service_account> SID (<SID>) from address 10.20.23.25 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The event can be suppressed, but the cause of the issue is on the collector side. It seems that the collector would need to be updated.

Please let me know if I'm misinformed.

Hi

Am also facing issue, there are several event generated in the windows server

activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Please advise, how can i stop these event in the server, it is unnecessary creating noise in the server.