The number, frequency, and potential negative impact of computer security threat events are increasing. Enterprises face challenges with events such as WannaCry, Curveball, Chrome Zero-Day Exploits, and the latest, a security bypass vulnerability in the Windows Distributed Component Object Model (DCOM) server. To improve the security of the authentication process for its DCOM server, which communicates between software components and networked devices, Microsoft has created three stages to follow to fully fix the issue over time.
Timeline to Follow
DCOM authentication changes affect IT/OT data collection systems, and the timing is crucial; three stages of hardening changes, beginning last June, and ending next March, must be enabled to keep your applications running.
|Update Release||Behavior Change|
|June 8, 2021||Hardening changes are disabled by default but can be enabled using a registry key.|
|June 14, 2022||Hardening changes are enabled by default but can be disabled using a registry key.|
|March 14, 2023||Hardening changes are enabled by default with no ability to disable them.|
Microsoft’s published schedule is designed to give IT/OT teams enough time to find and mitigate potential operating system problems for applications that utilize DCOM. However, the process could be time-consuming and should not be delayed.
If you have devices or applications that rely on DCOM but don’t support the hardening changes, they could stop working as early as June 14, 2022.
Being prepared means having the right expertise and tools to address existing and potential new threats.
The following playbook highlights the skills, expertise, and tools you’ll need to develop and execute an incident response plan to accept the DCOM hardening changes on time.
DCOM Hardening Playbook
- Know the applications in your production environments and have vendor contacts for each (website, sales rep, support, etc.). Technical articles from vendors such as Rockwell, Aveva (Wonderware), and Honeywell can help.
- Know and coordinate with the internal owner of each application, whether they’re central, by site, etc.
Prepare for Remediation
- Create the registry key to allow the DCOM hardening changes to be enabled or disabled.
- IMPORTANT: Do this before the June 2022 Microsoft security updates are deployed.
- Use Active Directory GPO or another system management tool (e.g., BigFix, Altiris).
- Set to disabled where needed (requires a computer restart for changes to take effect).
- For each application, determine if and how that application will be impacted.
- Determine the remediation plan for each impacted application. This may require a version upgrade to have a patch available (e.g., Rockwell).
- Have a plan to upgrade application.
- Identify developers, implementers, and validators.
- Plan downtime.
- Obtain or create documentation and procedures.
- Form a contingency plan to delay the deployment of the March 2023 updates if application updates are not available.
- Verify support status with application vendors and confirm eligibility to download updates when they become available.
Assess and Test
The following steps are outlined in greater detail in Microsoft’s knowledge base article.
- Review event logs for the new Event IDs (10036, 10037, 10038) to determine if DCOM events are happening.
- Must be one of the supported Windows operating systems
- Must have updates from 2021 installed.
- These Event IDs are available regardless of the status of the registry key (can be non-existent, enabled, or disabled).
- Enable the DCOM hardening changes on test systems and observe the results. Repeat as necessary.
- Obtain and install application updates as needed.
- Ensure every application has a final disposition of “Not Affected” or “Ready.”
Now is the time to prioritize planning for and handling these changes – don’t wait until you’re in crisis mode.
Interstates Can Help
Following this DCOM playbook with the clock ticking can be daunting, especially if you don’t have the centralized management tools or resources to help comb through event logs on all your windows OS-based endpoints. Interstates can guide you through the process and offer expert advice when you run into issues. We can assist with protecting your OT devices by:
- Assessing and understanding DCOM impacts and any other new and existing threats
- Windows and non-Windows systems management and software deployment, including system and application inventory, configuration, reporting
- Creating and executing incident response plans
- Patching and antivirus
- Event log collection
- Project planning
Where Can I Learn More?
Microsoft released this knowledgebase article explaining how it plans to remediate the DCOM vulnerability. If you need help protecting your OT devices, Interstates can help. We have experts ready to incorporate DCOM hardening changes at your plants. If you have any questions, reach us at (712) 722-1662 or email us at firstname.lastname@example.org.