Microsoft DCOM Hardening Changes Communication Impact on OPC DA Connection

Issue Details

I am using the LabVIEW OPC UA Toolkit to create a Client VI that will communicate with an OPC DA server.
I would like to know if the recently announced hardening changes of Microsoft DCOM Communication will have an effect on an OPC DA/UA connections.
OPC-DA Clients and Servers must utilize the same DCOM authentication level. Once the Kepware software DCOM authentication level is changed, the DCOM authentication level used by third-party clients and servers on remote workstations must also be updated.

Solution

The Microsoft Windows cumulative updates will have no impact on OPC UA Connection and the changes will only impact OPC DA.
Please follow below steps to disable the new security.

• Kepware products can be set to use the newly required (by Microsoft) DCOM security with the Windows DCOM configuration utility (DCOMCNFG.EXE). No patch is required

1. The DCOM Authentication Level will need to be set to Packet Level Integrity for both the Client and the Server.
2. For Server applications this change will need to be made at the Application level:                     

                         
                   
      3. For Client applications this change will need to be made at the My Computer level:
 
                    
 

• Note: KEPServerEX may be the Client, Server or both
• In addition to DCOM configuration, the following product settings must be enabled:

               1. KEPServerEX; ThingWorx Kepware Server; OPC Aggregator: Settings>Runtime Options> Use DCOM configuration settings
               2. OPC Quick Client:Tools>Options>Use DCOM for remote security
               3. LinkMaster: Tools>Options>Runtime Options>Use DCOM configuration utility settings

• Kepware's Remote OPC DA (DCOM) Configuration Guide has been updated to include the above settings

Other resolution options:

• Move OPC-DA clients and servers to the same workstation
• Migrate the system to replace Classic OPC-DA with OPC UA

Additional Information

Temporary Workaround:

• Following application of Microsoft’s June 14, 2022 Windows cumulative update, customers may use the temporary workaround Microsoft describes in MS KB5004442 to disable the Microsoft DCOM Hardening patch.
• Important: This mitigation can only be employed until Microsoft releases the final patch update to address CVE-2021-26414 on March 14, 2023. After deploying Microsoft’s final update on or after March 14, 2023, it will no longer be possible to disable Microsoft’s DCOM Hardening patch. After deploying Microsoft’s March 14, 2023 update, the only mitigation available is to reconfigure DCOM appropriately to establish communication to affected products.
• For Classic OPC-DA communications consider moving clients and servers to operate on the same workstation or migrate the system to replace Classic OPC-DA with OPC UA.