Analysis: Ability to delay Microsoft DCOM hardening patch ends as of March 2023

Microsoft DCOM hardening patch insights

• Microsoft is hardening DCOM, and that’s a good thing, but ability to postpone the patch ends as of March 2023.
• A small percentage, but still large number of applications are affected. Know what’s required, required action and related myths and heed the four solutions if unable or unwilling to update DCOM.
• OPC Training Institute provides training, testing, verification services and programming consulting.

While the Microsoft mandatory distributed component object model (DCOM) hardening patch effects a small percentage (still a large number) of applications, the ability to postpone the patch ends in March. See effects on OPC and four solutions if unable or unwilling to update DCOM below.

OPC Foundation is providing warnings so vendors, integrators, and end-users are aware of the upcoming potential problem. Since approximately 90% of OPC applications connect to local clients and servers, they will be unaffected. The remaining 10% have potential for problems. However, OPC Training Institute estimates only about 1 in 40 applications are affected. Therefore, we suspect only about 0.25% of all connections would be affected. While a small percentage, the number represents a large number of installations, perhaps a few thousand (one application could have multiple installations). On the bright side, most affected applications are customized installations or developed by small organizations with few sales.

The OPC Training Institute, separate from the OPC Foundation, provides in-depth training on OPC Classic and OPC UA along with full services for testing and verification for affected DCOM installations and programming consulting and/or services.

Microsoft DCOM patch impact on OPC

The DCOM hardening change affects some (not all) people who use OPC. Specifically, it will affect installations using:

• OPC Classic (which is based on DCOM). It does not affect OPC UA (which does not use DCOM).

• Connections over a network. It does not affect local connections.

• Newer Microsoft Windows versions. It does not affect Microsoft Windows 7 and Microsoft Windows XP.

• Applications forcing DCOM security to a low level. It does not affect applications using default settings.

Patch increases security level for Microsoft DCOM

Microsoft’s DCOM hardening forces all networked DCOM communication to have a high security level.  In my opinion, this is one of the best changes Microsoft has made for DCOM. The change shows Microsoft still considers DCOM relevant, otherwise Microsoft would leave DCOM alone or remove it altogether. In addition, the change shows Microsoft is serious about security, otherwise the company would not go to this much trouble.

OPC Training Institute offer training and services related to OPC and DCOM, on topics including OPC and DCOM diagnostics, OPC security, OPC Unified Architecture (OPC UA) and advanced OPC projects. Learn more at https://www.opcti.com/OPC-course-abstracts.aspx. Courtesy: OPC Training Institute

Microsoft DCOM myths persist

Sadly, myths remain about DCOM going away. DCOM was released in 1996, and myths began as early as 1997. Yet Microsoft keeps supporting DCOM. DCOM is not going away, and even Microsoft Windows 11 uses a lot of DCOM technology. DCOM provides a high level of security and works well with firewalls, workgroups, domains, and access control lists. Those who take a bit of time to understand DCOM security are able to tame DCOM, while others keep complaining about the complexities.

Four solutions if unable or unwilling to update DCOM

For organizations unable or unwilling to update their software, OPC Training Institute recommends four possible solutions, in order of best to worst:

1. Fix the cause of the problem programmatically. That is, programmers need to find the cause of the problem (CoCreateInstanceEx) and change the hard-coded security setting. This will necessitate programmers to recompile their code. However, programmers using a third-party OPC component (DLL, LIB, OCX, etc.) will be unable to make the fix.

2. Use a tunnel in either a half- or full tunnel configuration.

3. Temporarily disable the patch; however, this will only be effective until March 2023.

4. Do nothing: Do not patch Microsoft Windows and work with an unpatched version of Windows.

Given a competent crew, most organizations will be able to patch as needed. Nevertheless, even if a repair is available, they may not be able to shut down systems to conduct the repair, so attention is required.

Randy Kondor, P.Eng., is chief technology officer, OPC Training Institute. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, mhoske@cfemedia.com.

KEYWORDS: Microsoft DCOM patch March 2023, OPC

CONSIDER THIS

Are you aware of current and upcoming Microsoft patches, and do you have a migration plan?

ONLINE

OPC Training Institute https:/www.opcti.com/

Sister publication to Control Engineering, Industrial Cybersecurity Pulse, warned in a Dec. 21 article from Velta Technology, “The permanent Microsoft DCOM hardening patch could shut down your ICS.”

Information from Microsoft, searching for “mandatory DCOM patch March 2023”

Searching on the Microsoft site for “mandatory DCOM patch March 2023” brings up 120 results, including these top 5.

Patching of Operating Systems & Applications | Microsoft

Security Update Guide FAQs – microsoft.com

End of Support for Previous Versions of Windows | Microsoft

https://www.microsoft.com/en-us/windows/end-of-support?r=1

“After January 10, 2023, Microsoft will no longer provide security updates or technical support for Windows 8.1.”

The new commerce experience for CSP is here – microsoft.com

“Microsoft has postponed the phase 3 transition to start early 2023 due to more testing validation being required.”

Extended Security Updates for SQL Server and Windows Server 2008 and…

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.