WIN-911 Compatibility with MS DCOM Hardening (KB5004442)


On June 14th, 2022 Microsoft will release an update that will by default harden DCOM.  

At that point there are two choices for WIN-911 V7 Lite/Basic/Pro users:


1. Upgrade to WIN-911 2021 which supports DCOM hardening.
2. Disable DCOM hardening as described in Microsoft’s Knowledge Base article KB5004442.

Please note that according to Microsoft’s timeline, on March 14th, 2023 the DCOM hardening change will be enabled permanently without any ability to disable it. At that time it will be required to upgrade WIN‑911.


WIN-911 V4 & WIN-911 2021 use newer technologies for internal communication, and our OPC DA client implementation has been tested to be compatible with the hardening changes. You will need to check with your SCADA software manufacturer and apply their recommended updates.


What are the hardening changes?

After hardening updates are applied, DCOM servers will enforce an authentication level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation. This means that authentication will take place with each remote procedure call and that the data transferred will be verified to be unmodified. This protects the communications against manipulation by man-in-the-middle (MITM) attacks. This authentication level ensures the security of the communications between client and server while stopping short of encrypting message contents, which is the only higher authentication level. Effectively, remote procedure calls can no longer be made without authentication and packet integrity as these lower authentication levels become deprecated.

ConstantDescription
RPC_C_AUTHN_LEVEL_NONE
no authentication
RPC_C_AUTHN_LEVEL_CONNECT
Authenticates only upon connection to the server
RPC_C_AUTHN_LEVEL_CALL
Authenticated each remote procedure call upon receipt of the request by the server
RPC_C_AUTHN_LEVEL_PKT
Authenticates each call and validates that message data is from the expected client
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY
Authenticates each call and checks that message data is from the expected client and unmodified
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
Further ensures that message contents are readable only by the sender and receiver

The updates also add new error event logging to DCOM to help identify software that is incompatible with these hardening changes. Check the System log in Windows Event Viewer for the following new Event ID values: 10036, 10037, and 10038. These events are logged when clients attempt to call a service with an authentication level less than RPC_C_AUTHN_ LEVEL_PKT_INTEGRITY, and they indicate incompatibility with the new hardening.


What actions should I take?

The updates that rolled out in June 2021 allow systems administrators and software developers to test the newly hardened environment by opting into the changes via a registry entry. Simply create a DWORD value named “RequireIntegrityActivationAuthenticationLevel” under HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Ole\AppCompat and set the value to 0x00000001 to enable the hardening changes or 0x00000000 to disable them. Doing so will allow the identification of clients and servers in your environment, which are incompatible with the hardening changes and must be upgraded, reconfigured, or replaced. Most major software vendors have released updates recently as a result of such testing. 


This June, Microsoft will push updates making the hardening behavior the new default and WHITEPAPER allowing opt out instead (by setting the registry value to 0x00000000). While some software vendors or your internal IT team may need to disable the hardening this way to provide additional time to upgrade systems, this option is available for a limited time. You should certainly target upgrading incompatible systems as soon as possible to avoid software connectivity issues as the updates roll out. 


Next March, Microsoft will force the hardening changes by removing the ability to opt out. At this point, DCOM communications will require authentication and packet integrity. Less secure communications will cease to function. 


Conclusion


As industrial control systems and networks grow more complex, the risks of cybersecurity threats likewise increase. By forcing greater security for DCOM, Microsoft has helped protect software systems and reduced risks to industry and infrastructure. While the impact of the change is widespread, the staged application of the new hardening has given both software vendors and their users time to find solutions compatible with the changes ahead of the March 2023 deadline. With packet integrity enforced, DCOM will continue to provide secure communications for many years to come.