OPCNETApi and DCOM Hardening|Page 3|Classic OPC: DA, A&E, HDA, XML-DA, etc.|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPCNETApi and DCOM Hardening
Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
41
06/03/2022 - 00:07
sp_Permalink sp_Print

You must have got the assemblies from a source that is a corporate member. corporate members are allowed to distribute the binaries but only if they provide support to the people they provide the binaries to.

Avatar
MASSIMO LIGNANI
New Member
Members
Forum Posts: 2
Member Since:
08/22/2022
sp_UserOfflineSmall Offline
42
08/30/2022 - 02:14
sp_Permalink sp_Print

Hello, I have downloaded the 109 version.

I used the OPC DA sample Client to perform my DCOM testing.

In file …\NET API\Sample Client\Da\MainForm.cs Line 878 there is loop for connecting to the OPC Server :

m_server.Connect(…)

The first time we execute this function, the connection doesn’t work because we are not providing credentials explicitly.

So the  function “Allocate” from file …\NET API\COM Wrapper\OpcCom.Interop.cs doesn’t provide the pAuthInfo in the serverInfo structure:

Line 465 :

serverInfo.pAuthInfo = (credential != null) ? m_hAuthInfo.AddrOfPinnedObject() : IntPtr.Zero;

And so the RPC_C_AUTHN_LEVEL_PKT_INTEGRITY  level is not set !

I would suggest to always set the pAuthInfo info into serverInfo structure:

serverInfo.pAuthInfo = m_hAuthInfo.AddrOfPinnedObject()

If no explicit credentials are provided then process credentials (eg current windows user credentials) are used for DCOM.

Let me know if you agree on my proposal.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
43
08/31/2022 - 08:43
sp_Permalink sp_Print

Sounds reasonable.

How much testing have you done?

Avatar
MASSIMO LIGNANI
New Member
Members
Forum Posts: 2
Member Since:
08/22/2022
sp_UserOfflineSmall Offline
44
09/01/2022 - 03:42
sp_Permalink sp_Print

I spent several days before understanding all of that.

I used 2 Virtual Machines to make DCOM testing, using Windows Event viewer, Wireshark to check which level of authentication was used for DCOM.

Then I modified the code like I explained in my previous post. And checked, using whireshark that the level of authentication was now at the right level (eg RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). 

For my testing I used Schneider Electric OPC DA server (eg OFS DA). Everything is working fine, DCOM connexion was established without providing explicit credentials on Windows 10 machine requesting DCOM RPC_C_AUTHN_LEVEL_PKT_INTEGRITY level.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
45
09/01/2022 - 16:36
sp_Permalink sp_Print sp_EditHistory

It is not clear why you did not set the default for the process to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.

Passing in null allows the caller to control the security settings.

If it is always set then the caller can no longer control them. This means this could be a breaking change to other applications.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 17
Currently Browsing this Page:
2 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887