Microsoft DCOM Patch: Q&A with Technical Specialist, Ryan Rice
- June 2, 2022
- Best Practices
- Automation
From understanding the impact of the Microsoft Distributed Component Object Model (DCOM) patch to minimizing its disruption within your systems and applications, Ryan Rice, Technical Specialist at Van Meter, answers all your questions and more.
Will all directly/indirectly impacted software packages receive patches?
No, only directly affected, active and managed software will need to be patched. Indirectly affected, active and managed will not be patched as they are dependent on other software for DCOM.
Can I test the effects of DCOM before the June 2022 patch?
Yes, with the Microsoft patch released on June 8th, 2021 you can use the same ‘Regedit’ or ‘Utility to Enable’ and see what might be effected.
How can I minimize the disruption caused by differences in DCOM authentication levels between patched and unpatched systems and/or applications?
Rockwell Automation has prepared a set of steps that can help minimize the impact of the patching process. Review the steps here.
Will this affect communications from my controller to HMI?
DCOM hardening does not affect Rockwell Controller to Rockwell HMI as these do not use DCOM, rather a CIP protocol.
Does the DCOM hardening only effect Rockwell Automation?
No, this is a Microsoft security patch that effects all software and platforms that use DCOM to communicate in a distributed platform.
How do I manage a system containing a mixture of supported and non-supported software versions, meaning some will be patched and some will not?
If you have a mixture of Rockwell Automation product(s) and version(s) that will and will not be patched, you can take action to ensure newer and patched versions can continue to interoperate with older and unpatched products.
It is important to note that in this situation you must also choose to air-gap your operating systems from Windows Cumulative Updates beginning in March 2023. Following deployment of the June 2022 Windows Cumulative Update, you must disable enforcement of Microsoft minimum DCOM authentication level using this method described by Microsoft, as well as Rockwell Automation.
As I consider the number of patches I must to apply to address Microsoft’s DCOM hardening changes, which do I patch first, the Windows operating system or Rockwell Automation software product(s)?
The patching order does not matter. Regardless of which you patch first, when patching a running system, it is very likely you will need to take specific action to disable Microsoft’s DCOM authentication level enforcement or lower the DCOM authentication level used by Rockwell Automation product.
More information is available in Microsoft’s Security Response Center and Rockwell’s Seismic page.
If you are not sure how this patch will affect you, let us help. Contact Ryan Rice, Brian Kroning or Chad Goetsch to learn more and set yourself up for success.
ARTICLE BY:
RYAN RICE
EMPLOYEE-OWNER,TECHNICAL SPECIALIST - AUTOMATION AND SOFTWARE