Microsoft has been releasing security patches for this code since June 2021, but always allowing the possibility to disable the authentication hardening features, which means that many real time data links out there that do not conform to the more secure authentication methods can continue to work.
That’s all changing in 2023: The (March 14, 2023) phase 3 release includes “hardening changes enabled by default with no ability to disable them”, which means if you upgrade the Windows box hosting DCOM, the data links on that box may stop working!
Microsoft’s own blog summarises the entire DCOM hardening saga, but doesn’t explain how avoiding it can take months of work.
Case study
We have a 15-year track record of working with one supermajor and understand its systems and applications architectures well. The client had identified an emerging risk associated with a planned Microsoft upgrade relating to DCOM authentication hardening and ask Eigen to investigate.
The opportunity came part way through a complex process data historian technology migration project: The Eigen Support team enabled DCOM hardening to get a baseline of any issues. Together with the PI and automation teams in charge of OPC links, all parties worked together to bring the DCOM settings on both sides of the link to match and re-establish working connections for 15 assets with 29 nodes x redundant interfaces, for a total of 65 real time OPC connections.
It was not easy: They whole process took several months of testing, adjusting, and re-testing each link.
Having pre-empted the risk by intervening early, the client can take advantage of improved DCOM hardening and improved security, without incurring any downtime.
Final note
Microsoft obviously recommends testing for hardening compatibility before embarking on Windows upgrades. Authentication methods used by client applications may need to be upgraded and the entire system tested. DCOM hardening is a good thing: It will make your real time data channels more secure, but they can also result in costly system downtime.
DCOM is a dependency in many data links out there. Before going ahead with Windows upgrades it’s worth checking and testing for compatibility to avoid any unpleasant surprises.
