On June 14th, 2022 Microsoft will release an update that will by default harden DCOM.
At that point there are two choices for WIN-911 V7 Lite/Basic/Pro users:
1. Upgrade to WIN-911 2021 which supports DCOM hardening.
2. Disable DCOM hardening as described in Microsoft’s Knowledge Base article KB5004442.
Please note that according to Microsoft’s timeline, on March 14th, 2023 the DCOM hardening change will be enabled permanently without any ability to disable it. At that time it will be required to upgrade WIN‑911.
WIN-911 V4 & WIN-911 2021 use newer technologies for internal communication, and our OPC DA client implementation has been tested to be compatible with the hardening changes. You will need to check with your SCADA software manufacturer and apply their recommended updates.
Constant | Description |
RPC_C_AUTHN_LEVEL_NONE | no authentication |
RPC_C_AUTHN_LEVEL_CONNECT | Authenticates only upon connection to the server |
RPC_C_AUTHN_LEVEL_CALL | Authenticated each remote procedure call upon receipt of the request by the server |
RPC_C_AUTHN_LEVEL_PKT | Authenticates each call and validates that message data is from the expected client |
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY | Authenticates each call and checks that message data is from the expected client and unmodified |
RPC_C_AUTHN_LEVEL_PKT_PRIVACY | Further ensures that message contents are readable only by the sender and receiver |
This June, Microsoft will push updates making the hardening behavior the new default and WHITEPAPER allowing opt out instead (by setting the registry value to 0x00000000). While some software vendors or your internal IT team may need to disable the hardening this way to provide additional time to upgrade systems, this option is available for a limited time. You should certainly target upgrading incompatible systems as soon as possible to avoid software connectivity issues as the updates roll out.
Next March, Microsoft will force the hardening changes by removing the ability to opt out. At this point, DCOM communications will require authentication and packet integrity. Less secure communications will cease to function.
Conclusion
As industrial control systems and networks grow more complex, the risks of cybersecurity threats likewise increase. By forcing greater security for DCOM, Microsoft has helped protect software systems and reduced risks to industry and infrastructure. While the impact of the change is widespread, the staged application of the new hardening has given both software vendors and their users time to find solutions compatible with the changes ahead of the March 2023 deadline. With packet integrity enforced, DCOM will continue to provide secure communications for many years to come.