DCOM Hardening
What is Happening
As a response to CVE-2021-26414, Microsoft has released the KB5004442 patch. This patch affects Windows 8.1 and later and Windows Server 2012R2 and later. This patch is being being released in three phases.
Patch Release Phases
Date | Effect |
|---|---|
8 June 2021 | Hardening changes disabled by default but with the ability to enable them using a registry key |
14 June 2022 | Hardening changes enabled by default with the ability to disable them with a registry key |
14 March 2023 | Hardening is enabled with no ability to disable |
Once the patch is installed, the effects listed above will take effect on their corresponding dates. No new patches will have to be installed for the effects to take place.
This patch will automatically raise the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY regardless of what the application or DCOM configuration is set to, if the level is below PC_C_AUTHN_LEVEL_PKT_INTEGRITY.
How Does this Affect OPC-HDA connections with Seeq
The Seeq development team has investigated this patch and tested the OPC-HDA connector with DCOM hardening enabled. We have not identified any issues connecting to OPC-HDA servers with DCOM hardening enabled.
Additionally, we have confirmed that we leverage the Windows configured DCOM security Authentication Levels and do not internally attempt to lower it.
Recommendations Going Forward
Seeq has been able to test the OPC-HDA connector, however, this patch also affects the OPC-HDA server. Customers should contact their OPC-HDA server vendor to ensure that testing has been done to validate that DCOM hardening will not affect connections being accepted with the authentication level being set at or above RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
How to Test the Effects of the Patch
This hardening only affects the remote agents ability to connect. Once connection has been established there should be not other issues. Indexing and data retrieval should operate just as they did before.
The patch will take effect on 14 March 2023, so depending on the timeframe, you have a couple of options.
Prior to 14 March 2023
You will want to test your DCOM connection on a Remote Agent with the patch installed.
Ensure you have a fully updated Windows installation on both your Remote Agent and your Server
You will want to check that the feature is enabled by checking the registry key listed in this article on both the remote agent and your OPC-HDA server.
Configure an OPC-HDA connection as per the Configuration section of your datasource.
Ensure you can connect the remote agent connection to your OPC-HDA server, and that you see the green check mark in the datasource administration page.
After 14 March 2023
You will want to test your DCOM connection on a Remote Agent with the patch installed.
Ensure you have a fully updated Windows installation on both your Remote Agent and your Server
Configure an OPC-HDA connection as per the Configuration section of your datasource.
Ensure you can connect the remote agent connection to your OPC-HDA server, and that you see the green check mark in the datasource administration page.
Troubleshooting
As mentioned above, Seeq has not identified any impacts from this patch on its OPC-HDA connection. However, in the case that there is a connectivity issue we suggest performing the following diagnostics.
Identify the Cause of the Error
Errors caused by DCOM hardening will result in an Access Denied error (DCOM error 0x80070005). This error can be observed by running the Seeq-provided sample client as per the Connectivity Verification section of your datasource. Note: Access Denied errors do not always mean that you are affected by the DCOM hardening patch. Possible issues are:
DCOMCNFG permissions not configured
Invalid user credentials
DCOM Hardening issues
Make sure the Seeq Agent is running under the same user that has access to the OPC-HDA server
If you identify that DCOMCNFG permissions are configured and the credentials are valid, test connecting with OPC Expert to ensure that you can connect to your datasource. If OPC Expert cannot connect to your datasource, you might have an OPC server that is affected by the DCOM hardening patch and you should contact your servers vendor for assistance.
Workarounds
Remote Agent Installed on the OPC-HDA server
If there is an issue with your OPC-HDA server’s support support of the new hardened DCOM settings, one option is to install the remote agent directly on your OPC-HDA server. In this mode, the connector will use COM rather than DCOM to communicate and will not be affected by this patch.