TOP Server / KEPServerEX and DCOM Hardening (CVE-2021-26414, KB5004442)

This FAQ discusses how TOP Server and KEPServerEX (See Note #1) are affected by the changes made by Windows updates that are described in Microsoft's KB5004442 advisory regarding Windows Updates that have been rolled out to affected operating systems by Microsoft since June 8, 2021 to address vulnerabilities in DCOM described in CVE-2021-26414. Due to upcoming enforcement actions by Microsoft, users may need to take actions described in this FAQ. This FAQ is a supplement to our overall detailed technical FAQ regarding DCOM Hardening which contains information that is common to all products affected by DCOM hardening.

1 Am I Affected?
2 Product-Specific Information
3 Product-Specific Recommendations
4 What about OPC DA Clients from other Vendors?
5 Alternative Solutions to using DCOM
6 Disclaimer

Specific Product Editions/Versions or Use Cases Affected and Not Affected

All Versions of TOP Server are affected for their OPC DA Server interfaces if you have OPC DA active and in use, and you are connecting OPC clients over a network. Many users will NOT be affected, as described below.

Additionally these specific interfaces/product suites may be affected:

OPC Client Suite if you are using the OPC DA client driver
If you are using the TOP Server OPC A&E Plug-in to generate alarms
If you are using the OPC A&E Server Simple Events interface to remotely access the TOP Server Event Logs - normal Event Log viewing access via the TOP Server Configuration UI does not apply.

Affected:

YOU MUST review this FAQ and determine what actions you choose to take if your OPC Classic DA or OPC A&E client application is connecting to TOP Server on a different computer than the client, which means DCOM is being used.
YOU MUST review this FAQ and determine what actions you choose to take if your TOP Server is using the OPC DA Client driver to connect to an OPC Classic DA server on a different computer than TOP Server, which means DCOM is being used.

Not Affected:

If you are NOT using OPC Classic DA or OPC A&E client applications to connect to TOP Server, this FAQ does NOT apply to your application. OPC UA client connections are NOT affected.
If you are NOT using the TOP Server OPC DA Client driver to connect to OPC Classic DA servers, this FAQ does NOT apply to your application. The OPC UA Client and OPC XML-DA client drivers are not affected.
If your OPC Classic client or server always interacts with TOP Server only on the SAME COMPUTER as TOP Server (i.e. it's a local connection) this FAQ does NOT apply to your application. However, it is still recommended that you review this FAQ in the event you have to introduce remote OPC Classic connections with TOP Server in the future.

General Relevant Product information

Is OPC UA available in this product as an alternative? Yes

OPC UA Server - yes, TOP Server has supported OPC UA since 2009 from version 5.0 forward as a built-in, no extra license or cost server-side interface. We highly recommend you run the most current version of TOP Server. A video on configuring the TOP Server OPC UA server interface is available.
OPC UA Client - yes in the separately licensed OPC Client Suite available since 2020 version 5.1 and newer. If you are using the OPC DA client driver then you already own a license for the OPC UA Client Driver

Operating System Support Details - see the TOP Server OS Support Matrix

Respects Component Services Settings? Yes, but is user configurable, see product specific details in this FAQ.

Uses Hard-Coded Co-Initialize security Calls? No, unless user has configured the product otherwise, see product specific details in this FAQ.

DCOM Hardening Specific Updates Relevant and Available? None required, however we always recommend running the most current version of the product and reserve the right to limit support for non-current software.

Obtaining Current Product Versions Users on active support & maintenance agreements are entitled to update at no additional cost. Current version is available on the TOP Server website. Contact us with your license details to check your support status and if necessary, obtain quote for reinstatement of support & maintenance

Product Specific Settings Recommendations

TOP Server provides an Admin level setting "Use DCOM configuration settings" (accessible through right-clicking on the TOP Server Admin system tray icon and selecting Settings) that, in the past, could be disabled to allow users to override the default DCOM Configuration security settings on the computer for easier setup.

This setting now MUST BE ENABLED (which it is by default) to allow the correctly configured DCOM Authentication Level to be applied for TOP Server. See screenshot of the TOP Server Admin level setting below. This is true for any remote TOP Server OPC Classic operation, whether TOP Server is acting as the remote OPC Classic server or client. You can access these settings by right clicking on the TOP Server icon in the Windows System Tray and choosing "Settings". After changing this setting, we recommend you Stop Runtime Service and then Start Runtime Service so this change takes effect on the TOP Server runtime. The "Reinitialize" choice on the system tray icon menu will NOT accomplish making your changes active.

TOP Server Admin Setting for Using Default DCOM Settings

Once you make this change, then you can follow the recommendations for mitigation in our general DCOM Hardening FAQ, and TOP Server will respect those settings when applied properly.

Remember that if you make any changes to DCOM settings in Component Services on an OPC Classic client connected to the TOP Server, you MUST restart the client application for it to know about the changes on it's system. If using the TOP Server OPC Client driver and you make changes on the OPC Server side of the connection, the OPC server must also be restarted. This is the nature of DCOM settings because applications using DCOM can only get their security settings one time at startup.

After March 14, 2023, because you will no longer be able to disable the KB5004442 changes with a registry entry, you must have prepared any affected systems requiring changes by adjusting your computers' global DCOM Authentication Level setting to use the Packet Integrity option (per the screenshot below), migrated to OPC UA, or implemented another DCOM alternative. For general DCOM configuration recommendations beyond the required DCOM Authentication Level (which is beyond the scope of this FAQ), consult our DCOM Tutorial; HOWEVER, the recommendations found here regarding Authentication Level OVERRIDE/SUPERCEDE anything in our DCOM tutorial.

DCOM Hardening Required Authentication Level

What About Other Vendors' OPC Classic Clients and Servers Being Used with TOP Server?

As covered in our DCOM Hardening FAQ, all OPC Classic client and server applications have two methods that may have been implemented with respect to handling DCOM Authentication Level. They can:

Set DCOM security settings programmatically, or
Allow their application to use settings in the Windows Component Services DCOM Config utility to determine the settings

TOP Server uses Method #2 for both client and server DCOM connections, which means TOP Server itself requires no updates or patches to its code to address these DCOM changes. That being said, TOP Server is just one component of the client/server model in any of your systems using TOP Server.

For your OPC Classic client applications connecting to TOP Server, as well as, OPC Classic DA server applications that TOP Server is connecting to remotely via the OPC DA Client driver, you will need to consult with that client or server application vendor to confirm which method they are using for DCOM security settings.

For OPC Classic Client or Server Vendors Using Method #1, that vendor will either have to provide a version of their software that allows the DCOM Authentication Level to be configured in the software or a version where the hard-coded DCOM Authentication Level is Packet Integrity level.

For OPC Classic Client or Server Vendors Using Method #2 (just like TOP Server is), making the previously indicated adjusted of computer's global DCOM Authentication Level to Packet Integrity should be all that is required (this change needs to be performed on both the OPC Classic client and server machines).

If you're unsure which method your other OPC Classic software vendors are using, ask them how they are addressing Microsoft's DCOM hardening changes as they apply to their OPC Classic solutions.

Considerations Regarding Alternatives to DCOM

DCOM has been a challenge for users making remote OPC Classic connections for many years, due to the subtle nuances of DCOM operation between different Windows operating systems and different network architectures. As such, there are several alternatives available for users that prefer to migrate away from DCOM entirely ahead of these DCOM hardening changes as a method for future-proofing remote connections from any further Microsoft changes to DCOM security.

Simply migrate all OPC Classic client and server applications to reside on the same computer (resulting in local only OPC Classic connections that are not susceptible to DCOM security changes).
Migrate from OPC Classic to OPC UA wherever possible for remote connections. TOP Server is an OPC UA server natively, all you have to do is enable the interface. TOP Server also supports acting as an OPC UA or DA client via the OPC Client Suite. One of the key benefits of OPC UA is increased security without the pitfalls of DCOM for remote connections. To learn more about OPC UA, click here.
If you are unable to change your client application to not use OPC DA, yet TOP Server supports OPC UA, you could put the DataHub OPC Gateway on your client machine, so that your client is talking to the gateway as a local OPC server, and then the gateway communicates via OPC UA to TOP Server. We can also add OPC UA A&C / OPC Classic A&E support to the Gateway if were to be using TOP Server's OPC A&E capabilities. Contact us for details.
TOP Server can also be used for tunneling via OPC UA, using the TOP Server OPC Client Suite, which is an OPC DA and UA Client. You connect it to the target OPC server and then using that instance of TOP Server, deliver the data to a remote TOP Server using OPC UA, which can then deliver the data via OPC DA, AVEVA Suitelink, or OPC UA. There are many configurations possible and this solution can work particularly well for when you are using Dynamic Tags in TOP Server, which many AVEVA InTouch, System Platform, and HIstorian users are doing. Contact us for details.
Lastly you can use the DataHub Tunneler as a solution for eliminating DCOM. Contact us for details

Notes

Note 1: Software Toolbox will only support KEPServerEX users that bought their product from Software Toolbox and are on an active support & maintenance agreement.

Disclaimer: You are ultimately responsible to work with your IT/OT teams on handling the changes to your systems. Software Toolbox support cannot and will not make changes to customer systems for them. This information is provided for reference and is based on our best commercially reasonable efforts to gather, validate and aggregate this knowledge and is provided under and subject to our standard terms and conditions.