What are the hardening changes?
After hardening updates are applied, DCOM servers will enforce an authentication level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.2 This means that authentication will take place with each remote procedure call and that the data transferred will be verified to be unmodified. This protects the communications against manipulation by man-in-the-middle (MITM) attacks. This authentication level ensures the security of the communications between client and server while stopping short of encrypting message contents, which is the only higher authentication level. Effectively, remote procedure calls can no longer be made without authentication and packet integrity as these lower authentication levels become deprecated.
The updates also add new error event logging to DCOM to help identify software that is incompatible with these hardening changes. Check the System log in Windows Event Viewer for the following new Event ID values: 10036, 10037, and 10038. These events are logged when clients attempt to call a service with an authentication level less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, and they indicate incompatibility with the new hardening.
What actions should I take?
The updates which rolled out in June of 2021 allow systems administrators and software developers to test the newly hardened environment by opting into the changes via a registry entry.
Simply create a DWORD value named "RequireIntegrityActivationAuthenticationLevel" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
and set the value to 0x00000001 to enable the hardening changes or 0x00000000 to disable them.
Doing so will allow identification of clients and servers in your environment which are incompatible with the hardening changes and must be upgraded, reconfigured, or replaced. Most major software vendors have released updates recently as a result of such testing.
This June, Microsoft will push updates making the hardening behavior the new default and allowing opt out instead (by setting the registry value to 0x00000000). While some software vendors or your internal IT team may need to disable the hardening this way to provide additional time to upgrade systems, this option is available for a limited time.
You should certainly target upgrading incompatible systems as soon as possible to avoid software connectivity issues as the updates roll out.
Next March, Microsoft will force the hardening changes by removing the ability to opt out. At this point, DCOM communications will require authentication and packet integrity. Older, less secure communications will cease to function.
As for WIN-911 itself, we use newer technologies for all internal communications and our OPC DA client implementation has been tested to be compatible with the hardening changes. So as long as you update the SCADA side, WIN-911 will be good to go.