ICONICS Response to Microsoft DCOM Hardening

Microsoft is hardening DCOM in response to a security vulnerability. Learn which situations will be affected and which situations may require configuration changes.

Press Release | Published: 3/29/2022
To address a security vulnerability (CVE-2021-26414), Microsoft is hardening the Distributed Component Model (DCOM) on its Windows operating systems. The next stage of the DCOM hardening will occur on June 14, 2022, where hardening changes will be enabled by default. Currently, hardening changes are disabled by default but can be enabled via registry key.

DCOM has traditionally been the communication method used to communicate with OPC Classic servers across the network. ICONICS software can leverage DCOM communication, but by default and by best practice, most ICONICS software (both 64-bit and 32-bit) uses GenBroker communication via TCP/IP to tunnel to remote OPC Classic servers. This means that most ICONICS applications will not be affected by this hardening of DCOM security.

The following situations will NOT be affected by DCOM hardening:
  • ICONICS client communicating with an OPC Classic server on the same machine.
  • ICONICS client communicating with an OPC Classic server on a remote machine when configured to use GenBroker and the “OPC over TCP/IP” or “OPC over SOAP/XML” channels.
  • ICONICS client communicating with an OPC UA server, database, BACnet device, SNMP device, or other devices.
The situations below are likely to be affected by the upcoming DCOM hardening and may require configuration changes:
  • ICONICS client communicating with an OPC Classic server on a remote machine when configured to use the “OPC Direct” channel.
  • ICONICS client communicating with an OPC Classic server on a remote machine when configured to use GenBroker and the “OPC over DCOM” channel.
  • Custom scripts (including scripts running inside ScriptWorX32, ScriptWorX2010, ScriptWorX64, GraphWorX32, or GraphWorX64) that use OPC Foundation libraries or other non-ICONICS libraries to communicate with an OPC Classic server on a remote machine.
  • Third-party client communicating with an ICONICS OPC Classic server on a remote machine without using a tunnel.
If your application contains one of the affected situations, ICONICS recommends implementing one or more of the following changes to prepare for DCOM hardening:
  • Install and run GenBroker Server on the machine with the remote OPC Classic server.
  • Use the GenBroker64 Settings in Workbench or the GenBroker Configurator to configure the “OPC over TCP/IP” channel for use with your remote OPC Classic server for ICONICS clients.
  • Modify custom scripts to use ICONICS libraries and functions (such as "g.OPC" in ScriptWorX2010 or ScriptWorX64) that can take advantage of GenBroker communication.
  • Upgrade OPC Classic servers to OPC UA servers, if the client supports it. (Note: ICONICS clients from the 32-bit generation, such as GENESIS32 and BizViz, do not support OPC UA.)
  • Use a tunneler for third-party OPC Classic clients.
  • (Not recommended) Disable the Microsoft advanced security measures with a registry key. Note, this solution will not function after March 14, 2023, and may leave your system open to a security breach via DCOM.
To account for the DCOM hardening, ICONICS will start labeling the “OPC Direct” and “OPC over DCOM” channels as “obsolete” in version 10.97.2 and discourage the use of these channels. These will be completely unavailable in future versions.

For more information about Microsoft’s DCOM hardening, see this Microsoft support article.

For additional questions about ICONICS’ response to DCOM hardening and configuration changes that may be required, contact your local technical support department.