Event ID 10036 and kb5004442

1,840 views
Skip to first unread message

Kurt Buff

unread,
Nov 2, 2021, 5:09:47 PM11/2/21
to ntsys...@googlegroups.com
All,

I'm seeing tons of these on our SW Orion box (also on our SEIM product that harvests event logs). Orion and our two SEIM products (one for log collection and one for vulnerability management) run on 2016 and 2019 boxes. The monitored machines are a mix of 2012r2, 2016 and 2019.

     Log Name:      System
     Source:        Microsoft-Windows-DistributedCOM
     Date:          10/28/2021 9:18:35 PM
     Event ID:      10028
     Task Category: None
     Level:         Error
     Keywords:      Classic
     User:          SYSTEM
     Computer:      ORION.example.com
     Description:
     DCOM was unable to communicate with the computer
     10.x.x.20 using any of the configured protocols;
      requested by PID ad40
      (C:\Program Files (x86)\Common Files\SolarWinds\
     JobEngine.v2\SWJobEngineWorker2x64.exe).

I'm also seeing tons of these on our monitored systems, which seem to correlate with the above.

     Log Name:      System
     Source:        Microsoft-Windows-DistributedCOM
     Date:          11/2/2021 11:48:34 AM
     Event ID:      10036
     Task Category: None
     Level:         Error
     Keywords:      Classic
     User:          EXAMPLE\OrionProbe
     Computer:      server1.example.com
     Description:
     The server-side authentication level policy does
     not allow the user EXAMPLE\OrionProbe SID
     (S-1-5-21-207515869-1525690680-377547397-11618)
     from address 10.x.x.40 to activate DCOM server.
     Please raise the activation authentication
     level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.
 
This seems to be the culprit:
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c
 
It looks as if opening up the "Component Services" app (comexp.msc) and making a change to the Default Properties tab to Default Authentication Level might fix it. Has anyone here run across this, and found a GPO configuration that can make this change?

Thanks,
Kurt

Kevin Lundy

unread,
Nov 2, 2021, 5:57:53 PM11/2/21
to ntsys...@googlegroups.com
No idea of the solution, but I can confirm similar logs with Orion.  I have basically ignored the entries since the WMI polling does work.  Are you using a trusted domain account for Orion?

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5uUxx0dk4gi9VXeO9mPB%3DN_3vWZoPYh2Z1dY7VM2%2B7%3Dw%40mail.gmail.com.

Kurt Buff

unread,
Nov 2, 2021, 6:18:20 PM11/2/21
to ntsys...@googlegroups.com
The guy that set this up configured a DA account for Orion and the SEIM products. Madness. It's on my project list for next year to restructure all three to use different tiered accounts - using the older MSFT 3 tier account model (DA, servers, workstations).

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAB0geZO6w4OPA%3Db-%3DTHN-uECj6RFB%2B4-ZRRNYPtinF6-K7VGNA%40mail.gmail.com.

James Iversen

unread,
Nov 3, 2021, 11:00:52 AM11/3/21
to ntsys...@googlegroups.com
I absolutely "love" when a contract installer requests a DA account... Immediately to their face start talking about their competition... Then ask for the "real" requirements...
James Iversen
Network Systems Analyst
IT Infrastructure

 
 


1899 Central Plaza East
Edmeston, NY 13335
Phone: (607) 965-2706

nycm.com






From:        "Kurt Buff" <kurt...@gmail.com>
To:        ntsys...@googlegroups.com
Date:        11/02/2021 06:18 PM
Subject:        Re: [ntsysadmin] Event ID 10036 and kb5004442
Sent by:        ntsys...@googlegroups.com



ATTENTION: This email was sent from someone outside of NYCM.
.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5g%3D6aAweax0-yGL2K%2Bjzyf%3De%3DptLRSYZP2jevKoEq0bA%40mail.gmail.com.









Join us on Facebook at www.facebook.com/NYCMInsurance.
***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.



Erno, Cynthia M (ITS)

unread,
Nov 3, 2021, 11:09:41 AM11/3/21
to ntsys...@googlegroups.com

+1               lol

 

Cynthia Erno

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of James Iversen
Sent: Wednesday, November 3, 2021 11:01 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Event ID 10036 and kb5004442

 

ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails.

 

Image removed by sender.
Image removed by sender.





Join us on Facebook at www.facebook.com/NYCMInsurance.


***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.



Image removed by sender.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

paul.ra...@gmail.com

unread,
Nov 3, 2021, 11:15:02 AM11/3/21
to ntsys...@googlegroups.com

Hi Kurt

 

I’ve seen this where the monitoring server and the monitored server are not patched to the same level (October patches in particular) – my guess would be the monitored servers have been patched but the monitoring (Orion) server hasn’t.

 

Paul.

--

Kurt Buff

unread,
Nov 3, 2021, 12:12:04 PM11/3/21
to ntsys...@googlegroups.com
Agreed, but in this case it was my immediate predecessor in the IT Security role, so that's doubleplusunngood.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFC4327210.BA5A089E-ON85258782.00525C5E-85258782.00527836%40nycm.com.

Kurt Buff

unread,
Nov 3, 2021, 2:32:10 PM11/3/21
to ntsys...@googlegroups.com
AFAICT (and I'm the patching guy as part of my security role), all servers are fully patched.

I've been going to the machines under my control (which doesn't include the Orion box), navigating to My Computer and changing the "Default Options" tab to set "packet integrity" instead of "connect' . That seems to be helping, but this really should be settable by GPO.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/036e01d7d0c5%2491264ca0%24b372e5e0%24%40gmail.com.
Reply all
Reply to author
Forward
0 new messages