Analysis: Ability to delay Microsoft DCOM hardening patch ends as of March 2023
The mandatory Microsoft DCOM hardening patch, “one of the best changes Microsoft has made for DCOM,” effects only a small percentage, but still a large number of applications. There’s no postponing the patch as of March. Be aware of the impact and related misinformation.
- Microsoft DCOM patch impact on OPC, increased security level, myths.
- Four solutions if unable to update to DCOM.
- OPC Training Institute offers DCOM and OPC courses and services
Microsoft DCOM hardening patch insights
- Microsoft is hardening DCOM, and that’s a good thing, but ability to postpone the patch ends as of March 2023.
- A small percentage, but still large number of applications are affected. Know what’s required, required action and related myths and heed the four solutions if unable or unwilling to update DCOM.
- OPC Training Institute provides training, testing, verification services and programming consulting.
While the Microsoft mandatory distributed component object model (DCOM) hardening patch effects a small percentage (still a large number) of applications, the ability to postpone the patch ends in March. See effects on OPC and four solutions if unable or unwilling to update DCOM below.
OPC Foundation is providing warnings so vendors, integrators, and end-users are aware of the upcoming potential problem. Since approximately 90% of OPC applications connect to local clients and servers, they will be unaffected. The remaining 10% have potential for problems. However, OPC Training Institute estimates only about 1 in 40 applications are affected. Therefore, we suspect only about 0.25% of all connections would be affected. While a small percentage, the number represents a large number of installations, perhaps a few thousand (one application could have multiple installations). On the bright side, most affected applications are customized installations or developed by small organizations with few sales.
The OPC Training Institute, separate from the OPC Foundation, provides in-depth training on OPC Classic and OPC UA along with full services for testing and verification for affected DCOM installations and programming consulting and/or services.
Microsoft DCOM patch impact on OPC
The DCOM hardening change affects some (not all) people who use OPC. Specifically, it will affect installations using:
OPC Classic (which is based on DCOM). It does not affect OPC UA (which does not use DCOM).
Connections over a network. It does not affect local connections.
Newer Microsoft Windows versions. It does not affect Microsoft Windows 7 and Microsoft Windows XP.
Applications forcing DCOM security to a low level. It does not affect applications using default settings.
Patch increases security level for Microsoft DCOM
Microsoft’s DCOM hardening forces all networked DCOM communication to have a high security level. In my opinion, this is one of the best changes Microsoft has made for DCOM. The change shows Microsoft still considers DCOM relevant, otherwise Microsoft would leave DCOM alone or remove it altogether. In addition, the change shows Microsoft is serious about security, otherwise the company would not go to this much trouble.
Microsoft DCOM myths persist
Sadly, myths remain about DCOM going away. DCOM was released in 1996, and myths began as early as 1997. Yet Microsoft keeps supporting DCOM. DCOM is not going away, and even Microsoft Windows 11 uses a lot of DCOM technology. DCOM provides a high level of security and works well with firewalls, workgroups, domains, and access control lists. Those who take a bit of time to understand DCOM security are able to tame DCOM, while others keep complaining about the complexities.
Four solutions if unable or unwilling to update DCOM
For organizations unable or unwilling to update their software, OPC Training Institute recommends four possible solutions, in order of best to worst:
Fix the cause of the problem programmatically. That is, programmers need to find the cause of the problem (CoCreateInstanceEx) and change the hard-coded security setting. This will necessitate programmers to recompile their code. However, programmers using a third-party OPC component (DLL, LIB, OCX, etc.) will be unable to make the fix.
Use a tunnel in either a half- or full tunnel configuration.
Temporarily disable the patch; however, this will only be effective until March 2023.
Do nothing: Do not patch Microsoft Windows and work with an unpatched version of Windows.
Given a competent crew, most organizations will be able to patch as needed. Nevertheless, even if a repair is available, they may not be able to shut down systems to conduct the repair, so attention is required.
Randy Kondor, P.Eng., is chief technology officer, OPC Training Institute. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media, firstname.lastname@example.org.
KEYWORDS: Microsoft DCOM patch March 2023, OPC
Are you aware of current and upcoming Microsoft patches, and do you have a migration plan?
OPC Training Institute https:/www.opcti.com/
Sister publication to Control Engineering, Industrial Cybersecurity Pulse, warned in a Dec. 21 article from Velta Technology, “The permanent Microsoft DCOM hardening patch could shut down your ICS.”
Information from Microsoft, searching for “mandatory DCOM patch March 2023”
Searching on the Microsoft site for “mandatory DCOM patch March 2023” brings up 120 results, including these top 5.
“After January 10, 2023, Microsoft will no longer provide security updates or technical support for Windows 8.1.”
“Microsoft has postponed the phase 3 transition to start early 2023 due to more testing validation being required.”