« All blog posts

Windows DCOM Hardening And OPC Classic Applications

23.01.2023


Microsoft has identified security issues within Windows operating systems and they have been applying a few hardening changes in the latest updates. After March 14, 2023 the hardenings will be effective in all updated Windows computers and this may affect your OPC Classic applications.

The main hardening is applied to computers that are running OPC Classic Servers. After the hardening, OPC Classic Client applications will not be able to connect over the network to OPC Classic Servers without additional measures to be taken.

I wrote a more technical article about the updates last year. Check it out, if you want to learn which applications are affected and how to update them, or how to update your own applications built with Prosys Sentrol.

Terminology

To keep the definitions clear I will use the following terms:

  • OPC Classic Server = the DCOM based OPC DA, AE or HDA server application that is running on Windows
  • OPC Classic Client = the DCOM based OPC DA, AE or HDA client application that is running on Windows
  • Server Computer = The computer on which the OPC Classic Server is running
  • Client Computer = The computer on which the OPC Classic Client is running

Also I will use the terms:

  • Unhardened = computer that has NOT been updated
  • Hardened = computer that has been updated

The updates have been running over a migration period, but since this period will be over in March 14, 2023, I will assume that the hardenings are effective with the updates.


Hardened Server Computer

The hardening that is applied to the Server Computer will raise the required Authentication Level from Connect to Packet Integrity. This will disable OPC Classic Clients from connecting, unless they use the new Authentication Level.

Hardened Client Computer

The hardening will make the operating system to raise the used Authentication Level in non-anonymous connections to Packet Integrity, even if the application would use Connect.

Alternative Strategies

With these definitions your alternatives to ensure that your connections will continue to run smoothly are:

#1 No updates - Unhardened Server

If you don’t update the Windows at your Server Computer, the OPC connections will not be affected. If you don’t apply updates published after June 7, 2021, nothing is changed. If you don’t apply updates after March 13, 2023, you can still disable the hardening. However, since this is an security improvement, you should not skip the updates because of this.

Unhardened Server

#2 Hardened Server - Updated OPC Classic Client

If only the Server Computer is updated, the OPC Classic Client will not be able to connect by default, since they are typically using the Connect Authentication Level.

Hardened Server

If the OPC Classic Client is updated to use the Packet Integrity Authentication Level, then it can connect again.

Hardened Server and Updated OPC Classic Client

Check your vendor, if they have an update available.

#3 Hardened Server & Client Computer

If you apply the latest Windows updates both to your Server Computer and Client Computer, the connections should run smoothly, since the client update will raise the used Authentication Level to Packet Integrity, even if the applications are not updated.

Hardened Server & Client

However, there might be some functionality in the OPC Classic Client that does not work properly any more. Namely, the OPC Enum service that is used to access the list of available OPC servers may not be available, and this may affect the client’s ability to connect to the server, after all.

#4 Use OPC UA

Your best option and the most future-proof alternative in any case is to move from OPC Classic to OPC UA. In this case, you can disable DCOM and be sure that DCOM issues will not affect you anymore.

OPC UA Gateway

OPC UA is a full replacement to OPC Classic and the best option is to update the OPC applications to use OPC UA instead of OPC Classic. If that is not possible, you can use UaGateway to convert OPC Classic communication to OPC UA. You should do the conversion in the Client and Server computers, in which case no DCOM communication is required and you can disable it completely in the operating systems.

OPC UA Gateway

DCOM Configuration

You can configure the DCOM settings with dcomcnfg.exe. In practice, you will be taken to the Component Services application. If you find My Computer from the tree view and open Properties from the context menu, you will find DCOM settings from the Default Properties page. The Default Authentication Level is applied to all DCOM servers by default. This may not play a big role in future anymore, since you cannot really use any lower levels anyway.

DCOM Configuration

Jouni Aro

Jouni Aro

Chief Technology Officer

Email: jouni.aro@prosysopc.com

Expertise and responsibility areas: OPC & OPC UA product development, project work and customer support

Tags: OPC Classic, DCOM, Security

comments powered by Disqus

About Prosys OPC Ltd

Prosys OPC is a leading provider of professional OPC software and services with over 20 years of experience in the field. OPC and OPC UA (Unified Architecture) are communications standards used especially by industrial and high-tech companies.

Read more about us »

Newest blog posts

Introducing Prosys OPC UA Edge

The very first blog post about Prosys OPC UA Edge. The article introduces the main features and functionalities of the EDGE software.

Windows DCOM Hardening And OPC Classic Applications

How do the Windows DCOM hardening changes affect your OPC Classic applications.

OPC UA vs MQTT (or OPC UA over MQTT)

Our input on the debate of the differences between OPC UA and MQTT and how actually there is competition.

View all blog posts »

-->