Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The following information below was provided by Kepware. Source: https://www.ptc.com/en/support/article/CS350729

Kepware.com Support Assistant

Request

Cannot find any info on Microsoft DCOM Hardening effects on Kepware and OPC DA. Are there patches or recommended mitigation?

Document - CS350729

"Unable to establish OPC DA communication after installing Microsoft DCOM Hardening patches (CVE-2021-26414) with PTC Kepware Products"

Description

  • Will Microsoft's phased rollout of tightened DCOM security impact KEPServerEX?

  • Effect of the Microsoft DCOM update on KEPServerEX communications

  • Will the DCOM updates impact OPC UA/DA connections or any other protocols?

Resolution

General Information:

OPC-DA Clients and Servers must utilize the same DCOM authentication level. Once the Kepware software DCOM authentication level is changed, the DCOM authentication level used by third-party clients and servers on remote workstations must also be updated.


Temporary Workaround:

  • Following application of Microsoft’s June 14, 2022 Windows cumulative update, customers may use the temporary workaround Microsoft describes in MS KB5004442 to disable the Microsoft DCOM Hardening patch.

  • Important: This mitigation can only be employed until Microsoft releases the final patch update to address CVE-2021-26414 on March 14, 2023. After deploying Microsoft’s final update on or after March 14, 2023, it will no longer be possible to disable Microsoft’s DCOM Hardening patch. After deploying Microsoft’s March 14, 2023 update, the only mitigation available is to reconfigure DCOM appropriately to establish communication to affected products.

  • For Classic OPC-DA communications consider moving clients and servers to operate on the same workstation or migrate the system to replace Classic OPC-DA with OPC UA.


Resolution:

  • Kepware products can be set to use the newly required (by Microsoft) DCOM security with the Windows DCOM configuration utility (DCOMCNFG.EXE). No patch is required

    • The DCOM Authentication Level will need to be set to Packet Level Integrity for both the Client and the Server

  • For Server applications this change will need to be made at the Application level:

  • For Client applications this change will need to be made at the My Computer level:

 

  • Note: KEPServerEX may be the Client, Server or both

  • In addition to DCOM configuration, the following product settings must be enabled:

    • KEPServerEX; ThingWorx Kepware Server; OPC Aggregator:

      • Settings>Runtime Options> Use DCOM configuration settings

    • OPC Quick Client:

      • Tools>Options>Use DCOM for remote security

    • LinkMaster:

      • Tools>Options>Runtime Options>Use DCOM configuration utility settings


Other resolution options:

  • Move OPC-DA clients and servers to the same workstation

  • Migrate the system to replace Classic OPC-DA with OPC UA