Microsoft DCOM update | Classic OPC: DA, A&E, HDA, XML-DA, etc. | Forum

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Microsoft DCOM update
Avatar
Randy Armstrong
Admin
Forum Posts: 1080
Member Since:
05/30/2017
sp_UserOnlineSmall Online
1
02/16/2022 - 08:15
sp_Permalink sp_Print sp_EditHistory

Microsoft DCOM update

MS has released a patch for DCOM that will impact all vendors selling OPC DCOM based products:

https://support.microsoft.com/.....ed901c769c

Key dates:

June 8, 2021 - Hardening changes disabled by default but with the ability to enable them using a registry key.

March 8, 2022 - Hardening changes enabled by default but with the ability to disable them using a registry key.

[Latest information from MS - Date has been revised to June 14,2022]

June 14, 2022 - Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

[latest Information from MS – date has Been revised to March 14,2023]

What it actually does:

 Requires Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.

Key point:

DCOM security will be enforced, so application that chose no security will no longer work.  (this problem can also apply to application that picked inappropriate security settings, or have a hardcoded security setting that does not match or exceed the required level)

 Effect on OPC Classic Clients :

Client permissions are set using a function called CoInitializeSecurity. This function can be called only once per instance; subsequent calls will not be executed and will return an error. If the OPC Classic client calls this function, the settings are based on the parameters included in the call. If the client does not call this function, the OS will call it on the application’s behalf based on the Default DCOM settings. Any client calling this function may require changes to its source code to set the required security object (Authentication Level) to the required value (Packet Integrity) (if this is not available as configuration input to the application). Clients that do not call CoInitializeSecurity apply the default configuration when they call the CoCreateInstanceEx, but the default level will be raised Packet Integrity.  The application cannot override this (i.e.  Applications which explicitly set the authentication level in their CoCreateInstanceEx call however must ensure that they either remove this setting or ensure that it is at least packet integrity as the setting in CoCreateInstanceEx will override.)

Effect on OPC Classic Servers :

Server applications may also call CoInitializeSecurity but most servers typically specify the permissions for establishing communication in the DCOMCNFG utility. Modifying the Custom permissions in DCOMCNFG  therefore determines the security settings to be used. As long as a server Uses the DCOMCNFG utility, any issues are more manageable.   Application setting will still need to be checked.

Other options:

Instead of updating a classic application – update it  to use OPC UA

Think about adding a proxy / wrapper to push an application toward OPC UA (proxy/Wrappers eliminate DCOM from a classic product – they use COM and then use OPC UA for the network communication.)

Avatar
Randy Armstrong
Admin
Forum Posts: 1080
Member Since:
05/30/2017
sp_UserOnlineSmall Online
2
02/18/2022 - 20:07
sp_Permalink sp_Print sp_EditHistory

Some sample code that could be helpful:

Code for case where not calling CoInitializeSecurity, but setting it in CoCreateInstanceEx:

If you have this type of code -  the strike through text needs to be replaced with the Blue highlighted line

COSERVERINFO* pcsi = NULL;
COSERVERINFO  csi;
COAUTHINFO authinfo;
memset(&csi, 0, sizeof(COSERVERINFO));
pcsi = &csi;  csi.dwReserved1 = 0;
csi.dwReserved2 = 0;
csi.pwszName = (LPWSTR)szHostName.c_str();
csi.pAuthInfo = &authinfo;
authinfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
authinfo.dwAuthzSvc = RPC_C_AUTHZ_NONE;
authinfo.pwszServerPrincName = NULL;
authinfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_CALL; 
authinfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_PKT_INTEGRITY;
authinfo.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
authinfo.pAuthIdentityData = NULL;
authinfo.dwCapabilities = EOAC_NONE;
csi.pwszName = (LPWSTR)szHostName.c_str();

DWORD dwCtx = CLSCTX_ALL;
MULTI_QI             xxx[1];
xxx[0].pIID = &IID_IUnknown;
xxx[0].pItf = NULL;
xx[0].hr = S_OK;

hr = CoCreateInstanceEx(clsid,    // classid
       NULL,  // aggregation
       dwCtx, // server Context
       pcsi,  // machine specific name
       1,            // number of interfaces
       xxx);       // array of interfaces


another option that would work is to replace all of the blue code with this line

csi.pAuthInfo = NULL;

Avatar
Krishna Mendu
New Member
Members
Forum Posts: 2
Member Since:
09/26/2019
sp_UserOfflineSmall Offline
3
06/01/2022 - 19:18
sp_Permalink sp_Print

What is the solution for Anonymous log in access from a DA Client to  a DA Server? 

The MS hardening patch install and activation on the Server station has no effect.

The patch does work for access using user name and password.

Avatar
Randy Armstrong
Admin
Forum Posts: 1080
Member Since:
05/30/2017
sp_UserOnlineSmall Online
4
06/02/2022 - 01:20
sp_Permalink sp_Print

Can you connect to OPCEnum?

Avatar
Krishna Mendu
New Member
Members
Forum Posts: 2
Member Since:
09/26/2019
sp_UserOfflineSmall Offline
5
06/14/2022 - 08:43
sp_Permalink sp_Print

With local OPCenum (on the same station as the Server) or remote OPCenum we see the same issue. Applying the MS hardening patch does not make a difference. We are able to connect and browse servers.  

Avatar
Randy Armstrong
Admin
Forum Posts: 1080
Member Since:
05/30/2017
sp_UserOnlineSmall Online
6
06/14/2022 - 13:50
sp_Permalink sp_Print sp_EditHistory

It is not clear what the issue is if you can connect.

OPCEnum disables all security so the changes to the configuration when security is used should not affect it.

That said, you should never run an actual DA Server in this mode because it is completely exposed to hackers on the network.

Forum Timezone: America/Phoenix
Most Users Ever Online: 202
Currently Online: Randy Armstrong
Guest(s) 23
Currently Browsing this Page:
2 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1137
Posts: 3706