![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
This FAQ discusses how the OPC Quick Client, the OPC DA test client that installs with TOP Server, is affected by the changes made by Windows updates that are described in Microsoft's KB50004442 advisory regarding Windows Updates that have been rolled out to affected operating systems by Microsoft since June 8, 2021 to address vulnerabilities in DCOM described in CVE-2021-26414. Due to upcoming enforcement actions by Microsoft, users may need to take actions described in this FAQ. This FAQ is a supplement to our overall detailed technical FAQ regarding DCOM Hardening which contains information that is common to all products affected by DCOM hardening.
All versions of the OPC Quick Client that install with any version of TOP Server are affected for its OPC DA Client interface if you are connecting TOP Server or other OPC DA servers over a network. Many users will NOT be affected, as described below.
Affected:
- YOU MUST review this FAQ and determine what actions you choose to take if you are using the OPC Quick Client connecting to TOP Server (or other OPC DA servers) on a different computer than the OPC Quick Client, which means DCOM is being used.
Not Affected:
- If you are only ever using OPC Quick Client to interact with TOP Server (or other OPC DA servers) only on the SAME COMPUTER as the OPC DA server (i.e. it's a local connection), this FAQ does NOT apply to your application. However, it is still recommended that you review this FAQ in the event you have to introduce remote OPC DA Classic connections using the OPC Quick Client in the future.
General Relevant Product information
Is OPC UA available in this product as an alternative? No, however most users only use the OPC Quick Client on the same computer as TOP Server, and thus are not affected.
Operating System Support Details - OPC Quick Client is supported on the same operating systems as TOP Server - see the TOP Server OS Support Matrix
Respects Component Services Settings? Yes, but is user configurable, with a default that overrides Component Services. See product specific details in this FAQ.
Uses Hard-Coded Co-Initialize security Calls? No, unless user has configured the product otherwise, see product specific details in this FAQ. Specifically the default setting of the OPC Quick Client causes it to use hard coded very open security settings because it is a testing tool, not an operational tool, and the goal has always been to do everything possible to insure OPC Quick Client can connect.
DCOM Hardening Specific Updates Relevant and Available? None required, however we always recommend running the most current version of the product (i.e. the latest version of TOP Server since OPC Quick Client installs with TOP Server) and reserve the right to limit support for non-current software.
Obtaining Current Product Versions - Users on active support & maintenance agreements are entitled to update at no additional cost. Current TOP Server version including the latest version of OPC Quick Client is available on the TOP Server website. Contact us with your TOP Server license details to check your support status and, if necessary, obtain quote for reinstatement of support & maintenance.
Product Specific Settings Recommendations
OPC Quick Client provides a client level setting "Use DCOM for remote security". The setting is accessible in the OPC Quick Client Options by selecting Tools ⇒ Options and is is disabled by default. In the past, this setting could be left at the default of disabled to cause the OPC Quick Client to override the default DCOM Configuration security settings with relaxed requirements for when trying to use OPC Quick Client with remote OPC Servers.
This setting now MUST BE ENABLED to allow the correctly configured DCOM Authentication Level in Component Services to be applied for OPC Quick Client (see screenshot of the OPC Quick Client Options setting below). This is true for any remote OPC Quick Client operation. After making this change you must restart the OPC Quick Client.
If the DCOM hardening changes are enabled in addition to changing the OPC Quick Client setting below, you must also set the Default Authentication Level to Packet Integrity in Component Services->My Computer, as shown later in this FAQ.
After March 14, 2023, because you will no longer be able to disable the changes described in the KB50004442 advisory with a registry entry, you must have prepared any affected systems requiring changes by adjusting your computers' global DCOM Authentication Level setting to use the Packet Integrity option (per the screenshot below), migrated to OPC UA, or implemented another DCOM alternative. For general DCOM configuration recommendations beyond the required DCOM Authentication Level (which is beyond the scope of this FAQ), consult our DCOM Tutorial; HOWEVER, the recommendations found here regarding Authentication Level OVERRIDE/SUPERSEDE anything in our DCOM tutorial.
What About Other Vendors' OPC Classic Servers Being Used with OPC Quick Client?
As covered in our DCOM Hardening FAQ, all OPC Classic client and server applications have two methods that may have been implemented with respect to handling DCOM Authentication Level. They can:
- Set DCOM security settings programmatically, or
- Allow their application to use settings in the Windows Component Services DCOM Config utility to determine the settings
Provided you have made the recommended changes above, OPC Quick Client uses Method #2 for DCOM connections, which means OPC Quick Client itself requires no updates or patches to its code to address these DCOM changes. Out of the box OPC Quick Client does use method #1, so our recommended changes are important. That being said, OPC Quick Client is just one component of the client/server model in any of your systems using OPC Quick Client.
For your OPC DA Classic server applications being used with OPC Quick Client, you will need to consult with that server application vendor to confirm which method they are using for DCOM security settings.
For OPC DA Classic Server Vendors Using Method #1, that vendor will either have to provide a version of their software that allows the DCOM Authentication Level to be configured in the software or a version where the hard-coded DCOM Authentication Level is Packet Integrity level.
For OPC Classic Server Vendors Using Method #2 (just like OPC Quick Client and TOP Server are), making the previously indicated adjusted of computer's global DCOM Authentication Level to Packet Integrity should be all that is required (this change needs to be performed on both the OPC Classic client and server machines).
If you're unsure which method your other OPC DA Classic server software vendors are using, ask them how they are addressing Microsoft's DCOM hardening changes as they apply to their OPC Classic solutions.
Considerations Regarding Alternatives to DCOM
DCOM has been a challenge for users making remote OPC Classic connections for many years, due to the subtle nuances of DCOM operation between different Windows operating systems and different network architectures. As such, there are several alternatives available for users that prefer to migrate away from DCOM entirely ahead of these DCOM hardening changes as a method for future-proofing remote connections from any further Microsoft changes to DCOM security.
- Simply migrate all OPC Classic client and server applications to reside on the same computer (resulting in local only OPC Classic connections that are not susceptible to DCOM security changes).
- Migrate from OPC Classic to OPC UA wherever possible for remote connections. TOP Server, for example, is also an OPC UA server - one of the key benefits of OPC UA is increased security without the pitfalls of DCOM for remote connections. While this won't address remote DCOM concerns for OPC Quick Client, there are OPC UA test client applications available (such as the UaExpert client from Unified Automation - free log-in required). To learn more about OPC UA, click here.
- If you have OPC UA servers, although not free for non-trial use, you could put the DataHub OPC Gateway on your client machine with OPC Quick Client. OPC Quick client would connect to gateway as a local OPC server, and then the gateway communicates via OPC UA to the OPC servers. We can add OPC A&C / OPC Classic A&E support to the Gateway. Contact us for details.
- You can also use OPC Quick Client with the DataHub OPC Tunneling solution, available as a free trial.
Disclaimer: You are ultimately responsible to work with your IT/OT teams on handling the changes to your systems. Software Toolbox support cannot and will not make changes to customer systems for them. This information is provided for reference and is based on our best commercially reasonable efforts to gather, validate and aggregate this knowledge and is provided under and subject to our standard terms and conditions.