Skip to content
Ask A Question
  • There are no suggestions because the search field is empty.

SLIK-DA OPC Server Toolkit and DCOM Hardening (CVE-2021-26414, KB5004442)

This FAQ discusses how the SLIK-DA OPC Server Toolkit is affected by the changes made by Windows updates that are described in Microsoft's KB50004442 advisory regarding Windows Updates that have been rolled out to affected operating systems by Microsoft since June 8, 2021 to address vulnerabilities in DCOM described in CVE-2021-26414.  Due to upcoming enforcement actions by Microsoft, users may need to take actions described in this FAQ. This FAQ is a supplement to our overall detailed technical FAQ regarding DCOM Hardening which contains information that is common to all products affected by DCOM hardening. You may also request our free detailed Remote OPC DA Classic (DCOM) Configuration Guide here with recommendations for DCOM setting configuration on OPC DA client and server machines where connections will be remote (client and server on separate machines).

Specific Product Editions/Versions or Use Cases Affected and Not Affected

All versions of SLIK-DA are affected, provided you are developing applications as OPC Classic DA Servers, and you are connecting OPC clients over a network (i.e. not on the same computer as your SLIK-DA application). Many users will NOT be affected, as described below.
Affected:
  • YOU MUST review this FAQ and determine what actions you choose to take if your OPC DA Classic client application is connecting to a SLIK-DA OPC DA Server application on a different computer than the client, which means DCOM is being used.
Not Affected:
  • If you are using OPC UA and NOT using OPC Classic DA client applications to connect to your SLIK-DA application, this FAQ does NOT apply to your application.
  • If your OPC DA Classic client always interacts with your SLIK-DA OPC Server only on the SAME COMPUTER (i.e. it's a local connection) this FAQ does NOT apply to your application. However, it is still recommended that you review this FAQ in the event you have to introduce remote OPC DA Classic connections with SLIK-DA in the future.

General Relevant Product Information

Is OPC UA available in this product as an alternative?  Yes
  • OPC UA Server - yes, SLIK-DA has an optional OPC UA license that allows users to develop their OPC Server applications as OPC UA Servers. SLIK-DA has had this OPC UA functionality available since 2012 from version 5.0.0.3 forward. If you own a DA only license (serial number starting with 150) a paid upgrade will be required in order to use OPC UA. A guide on upgrading your SLIK-DA OPC DA Server to also be an OPC UA Server is available.
  • OPC UA Client - not applicable to this product 
Operating System Support Details - visit the SLIK-DA Specifications/System Requirements for supported operating systems
Respects Component Services Settings? Yes.
Uses Hard-Coded Co-Initialize security Calls? No.
DCOM Hardening Specific Updates Relevant and Available? None required, however we always recommend running the most current version of the product and reserve the right to limit support for non-current software.
Obtaining Current Product Versions - Users on active support & maintenance agreements are entitled to update at no additional cost. Current version is available on the SLIK-DA websiteContact us with your license details to check your support status and if necessary, obtain quote for reinstatement of support & maintenance

Product Specific Settings Recommendations

Because SLIK-DA/UA toolkit respects the Component Services DCOM Config settings, see our general DCOM hardening FAQ recommendations. You may also request our free detailed Remote OPC DA Classic (DCOM) Configuration Guide here with recommendations for DCOM setting configuration on OPC DA client and server machines where connections will be remote (client and server on separate machines).
Remember that if you make any changes to DCOM settings in Component Services, you MUST restart your OPC Server runtime for the product to know about the changes. If they make changes on the OPC client side, the OPC client must also be restarted. This is the nature of DCOM settings because applications using DCOM can only get their security settings one time at startup. 
 
After March 14, 2023, because you will no longer be able to disable the changes described in the KB50004442 advisory with a registry entry, you must have prepared any affected systems requiring changes by adjusting your computers' global DCOM Authentication Level setting to use the Packet Integrity option (per the screenshot below), migrated to OPC UA, or implemented another DCOM alternative.  For general DCOM configuration recommendations beyond the required DCOM Authentication Level (which is beyond the scope of this FAQ), consult our DCOM Tutorial; HOWEVER, the recommendations found here regarding Authentication Level OVERRIDE/SUPERSEDE anything in our DCOM tutorial.
Default_DCOM_Authentication_Level

What About Other Vendors' OPC Classic Clients Being Used with SLIK-DA?

All OPC Classic client and server applications have two methods that may have been implemented with respect to handling DCOM Authentication Level. They can:
  1. Set DCOM security settings programmatically, or
  2. Allow their application to use settings in the Windows DCOM Config utility to determine the settings
SLIK-DA uses Method #2 for its OPC DA server interface authentication, which means SLIK-DA itself requires no updates or patches to its code to address these DCOM changes. That being said, SLIK-DA is just one component of the client/server model in any of your systems.
 
For your OPC DA Classic client applications connecting to a SLIK-DA OPC DA Server, you will need to consult with that client application vendor to confirm which method they are using for DCOM security settings.
For OPC DA Classic Client Vendors Using Method #1, that vendor will either have to provide a version of their software that allows the DCOM Authentication Level to be configured in the software or a version where the hard-coded DCOM Authentication Level is Packet Integrity level.
For OPC DA Classic Client Vendors Using Method #2 (just like SLIK-DA is), making the previously indicated adjustment of the OPC DA Client computer's global DCOM Authentication Level to Packet Integrity should be all that is required (this change needs to be performed on both the OPC DA Classic client and server machines).
 
If you're unsure which method your other OPC DA Classic software vendors are using, ask them how they are addressing Microsoft's DCOM hardening changes as they apply to their OPC DA Classic solutions.

Considerations Regarding Alternatives to DCOM

DCOM has been a challenge for users making remote OPC Classic connections for many years, due to the subtle nuances of DCOM operation between different Windows operating systems and different network architectures. As such, there are several alternatives available for users that prefer to migrate away from DCOM entirely ahead of these DCOM hardening changes as a method for future proofing remote connections from any further Microsoft changes to DCOM security.
  1. Simply migrate all OPC DA Classic client and server applications to reside on the same computer (resulting in local only OPC DA Classic connections that are not susceptible to DCOM security changes).
  2. Migrate from OPC DA Classic to OPC UA wherever possible for remote connections. SLIK-DA can be used to develop OPC UA servers - one of the key benefits of OPC UA is increased security without the pitfalls of DCOM for remote connections. To learn more about OPC UA, click here.
  3. If you are unable to change your OPC DA client application to use OPC UA, you could put the DataHub OPC Gateway on your OPC DA client machine, so that your OPC DA client is talking to the gateway as a local OPC DA server, and then the gateway communicates via OPC UA to your SLIK-DA OPC DA Server. Contact us for details.
  4. Lastly you can use the DataHub Tunneler as a solution for eliminating DCOM. Please note that a DataHub Tunneler would be required on the OPC DA client machine, as well as each OPC DA server machine that your SLIK-DA application is deployed to. Contact us for details
Disclaimer: You are ultimately responsible to work with your IT/OT teams on handling the changes to your systems. Software Toolbox support cannot and will not make changes to customer systems for them. This information is provided for reference and is based on our best commercially reasonable efforts to gather, validate and aggregate this knowledge and is provided under and subject to our standard terms and conditions.