Features, discussions, tips, tricks, questions, problems and feedback

OPC DCOM hardening: Microsoft security update

Microsoft DCOM Hardening

To address the security vulnerability CVE-2021-26414 as found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26414, Microsoft is hardening the Distributed Component Model (DCOM) on its Windows operating systems.

DCOM Hardening means that an authentication of level RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for access to OPC Servers will be enforced. This level authenticates credentials and verifies that no call data has been modified in transit. See https://docs.microsoft.com/en-us/windows/win32/rpc/authentication-level-constants for more information about authentication levels.

Currently, hardening is disabled by default but can be enabled via a DWORD registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel.

  • If this registry value does not exist DCOM Hardening is disabled by default
  • If this registry value equals 0, DCOM Hardening is disabled
  • If this registry value equals 1, DCOM Hardening is enabled

For those with updated versions of one of the Windows Operating Systems as shown at https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c, DCOM hardening will automatically apply on June 14 2022 where hardening changes will be enabled by default. This means that Microsoft will automatically generate this key on June 14 2022 and set it’s value to 1. The effect of this is that users will begin to see unsecure connections to OPC Servers failing. This will ONLY happen if customers have not configured for secure connections to their OPC Servers. These customers will have two options

  1. Set the above DWORD registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RequireIntegrityActivationAuthenticationLevel to 0 and reboot your PC. This will only be effective until 14 Mar 2023
  2. Configure for secure connections to OPC Servers using DCOM Configuration (Start/Run/dcomcnfg)

Adroit strongly recommends that all customers review their DCOM Configuration settings for all their OPC Servers and set the authentication level to “Packet Integrity” as shown below for the Adroit OPC Server.

Once the setting is implemented the OPC Server application needs to be restarted or your PC rebooted

The above notice does not apply OPC UA Servers