Microsoft DCOM Hardening: The Inside Story

Greg Lambert
March 16, 2023
4 minutes

Microsoft is making a big change today. To be more specific Microsoft is making a big change mandatory today. DCOM – the behaviour of a core Windows component that has been referenced and utilized by thousands of 3rd party applications will change with this Microsoft March Patch Tuesday update. This change may cause you (and/or your IT Administrator) serious problems.

DCOM is an abbreviation of Distributed COM – or Distributed Component Object Model. Microsoft describes the COM model as;

“The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components)”

The COM model was behind a lot of the innovations within Microsoft Word, Excel, and PowerPoint. It was also one of the root causes of many, many security related vulnerabilities – think ActiveX. DCOM allowed for remote procedure calls effectively create a client server model within and across applications. For an isolated (e.g., before the internet) system, this was incredibly powerful. For an always-on connected system, this approach was risky.

With this month’s Patch Tuesday update (KB5004442) , Microsoft has enforced a mandatory change to how DCOM authenticates within and across applications. Microsoft had identified a major flaw which could lead to the following scenarios:

  • All networked devices under the same security authority could be exposed to unauthorized privilege.
  • A non-authorized actor could gain privileges to access and modify settings, files, and mostly non-sensitive resources.
  • The result could be loss of integrity or protection of networked devices and users’ files and settings.

Microsoft has implemented a 3-phase hardening strategy for dealing with this DCOM implementation flaw that using the following schedule:

  1. June 8, 2021 – Phase 1 Release – Hardening changes disabled by default but with the ability to enable them using a registry key.
  2. June 14, 2022 – Phase 2 Release – Hardening changes enabled by default but with the ability to disable them using a registry key.
  3. March 14, 2023 – Phase 3 Release – Hardening changes enabled by default with no ability to disable them.

Microsoft has helpfully added, “By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.”

DCOM components are hard to manage correctly. As an application packaging specialist there are many applications that have depended on DCOM but have poorly implemented it. Security for most implementations was not a consideration. But security was not DCOM’s only problem.

Compatibility, or suitability was a major challenge (actually a deal breaker) for most virtualization technologies when DCOM support is required. Microsoft platforms such as App-VAppX and more recently MSIX specifically do not support applications that depend on DCOM. Period.

Readiness developed a suite of automated/algorithmic checks to ensure “virtualization suitability” (compatibility for specific platform) that included DCOM checks. One of the key benefits of the Readiness approach to assessments is that all packages are run through all assessments on import. That means that even if you don’t select a report, the assessment logic is still run, and the results are available. This feature is very helpful when encountering a situation like this DCOM “discovery” challenge in your application portfolio. Rather than running a dedicated report – you can simply select our “Platform Slider” and choose a report:

virtualisation technology

And choose one of the available checks:

available checks

We have run our DCOM analysis check against several of application portfolios with the following common applications raising DCOM related issues:

    • Adobe Acrobat Standard and Pro 9.3
    • Caradigm Caradigm SSO
    • DST AWD Contact
    • Microsoft Publisher Pro 2013
    • Microsoft Visio Pro_2013
    • Microsoft Project Standard (2010, 2013)
    • Microsoft SQL Express 2008
    • Phillips IntelliSpace Portal
    • SAP Crystal Reports 2013
    • Sophos RemoteManagement 3.4.1
    • Visioneer OneTouch
    • Visual Cactus

Algorithmic assessments are an excellent planning tool as they are quick, pro-active, and easily tuned. That said, there is nothing like a full test that include: install, application exercise and uninstall. This is where our X-Check technology really shines. Now that the application has been loaded into Readiness, this full test is easily automated. Choosing one or more builds (customer builds are fully supported) Readiness automated the entire testing process for DCOM and all critical components of your application portfolio.

If you are unsure about what these recent Patch Tuesday related changes mean for your application portfolio. We can help through a rapid algorithmic assessment and detailed application runtime testing.

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started