DCOM Hardening & Your Alternatives to Eliminate Security Risk & Stress

8 min read

Jun 16, 2022 2:00:00 PM

If you’re reading this post, you’ve almost certainly at least heard of DCOM. And, possibly, you’re one of many who have struggled over the years with the trials of configuring remote OPC Classic connections between machines where DCOM inevitably increased your time and difficulty for what should be a relatively painless task.

And with the latest Microsoft hardening for DCOM authentication, configuring DCOM for the many existing OPC Classic solutions out there isn’t getting any easier. This blog post discusses alternatives to DCOM that cover a range of use cases depending on what software you already have installed and your existing system architecture.

Like many of you, I've certainly had my share of interactions with troublesome DCOM issues over the many years that I’ve worked with OPC Classic clients and servers on different machines (local connections where the OPC Classic client and server are on the same machine are fortunately not affected). While DCOM is an integral part of many Microsoft components and remote OPC Classic clients and servers rely on it for remote connectivity and security, there have been several alternatives for years that many have already taken advantage of to ease the burden of dealing with DCOM.

And with the June 14, 2022 Microsoft updates, DCOM hardening becomes a reality that everyone still using OPC Classic clients and servers that are on different machines have to deal with. Yes, it’s possible to technically “turn off” this DCOM hardening with a Microsoft sanctioned DCOM entry – but it’s merely a stop-gap for when Microsoft permanently hardens DCOM next year (with no off button, at that time).

So all users that still have OPC Classic software have to make a choice for how they will address DCOM hardening. Let’s discuss the options available to you (both with DCOM and those eliminating DCOM) so you can make an informed decision that best meets the needs of your system.

1. Disable DCOM Hardening Temporarily

Concept_TimeRunningOut_Hourglass_230x330Microsoft technically implemented DCOM hardening back in June 2021 – it’s simply been disabled by default this entire time. With Windows Updates starting June 14, 2022, Microsoft has turned that implementation on. Just not permanently – yet. Users who simply aren’t in a place to migrate to one of the following alternatives still have some time – until March 14, 2023 – before Microsoft makes these changes permanent.

Until such time, Microsoft (in KB5004442) has provided a registry change that will disable the hardening of DCOM to give users a little more time to make their decisions. However, it is highly recommended to make plans to update your systems sooner rather than later, since after March 2023 there won’t be an off switch.

2. Reconfigure Your DCOM Authentication Settings

Concept_AccessDenied_250x250

Since Microsoft's DCOM hardening is, technically, targeted at making your systems more secure, you may decide to update your DCOM Configuration settings on your client and server machines. Fair enough, but remember that DCOM is still DCOM – quirks between different operating systems, the difference between workgroups and domains and even the differences between implementations of different OPC Classic vendors contribute to DCOM configuration headaches.

Recognizing that DCOM is still a reality for many, our DCOM Hardening general FAQ provides answers to any questions this post doesn’t cover, including links to Software Toolbox solution specific FAQs and our DCOM tutorial.

Our recommendation, though, as it has been for many years is to consider how much time, effort and stress your DCOM connections are causing – many times, the alternatives to DCOM can pay for themselves by eliminating that time, effort, and stress from your day-to-day activities, freeing you up to focus on other important tasks.

Concept_Alternatives_Signpost

3. Move OPC Classic Clients and Servers to the Same Machine (Local Connections)

Diagram_Local_OPC_Classic_Connection_206x318Another option is to remove DCOM from the equation by simply making all of your OPC Classic connections local. Many users already architect their OPC Classic systems with the client and server on the same box for precisely this reason – to remove DCOM headaches. And an added bonus is that local OPC Classic connections are faster than remote DCOM connections.

If your system architecture is such that it’s possible to move either the OPC Classic client to the server machine or vice versa, this can greatly simplify things for you going forward. Even when DCOM hardening is permanent in March 2023, if your connections are local, they won’t be affected since local connections don’t rely on DCOM.

We understand this may not be possible due to reasons outside of your control (maybe your OPC Classic server is on a specific machine due to requiring network connectivity that isn’t possible from the machine with the OPC Classic client is located and it isn’t possible to move the OPC Classic client). For such situations, keep reading for alternatives that can still help you eliminate DCOM while maintaining secure and reliable remote connectivity between your OPC clients and servers.

4. Convert OPC Classic Connections to OPC UA for Remote Connections

Software Toolbox adopted OPC UA from its infancy and has a wide variety of OPC UA capable solutions including TOP Server for AVEVA, OmniServer, OPC Data Logger, SLIK-DA with UA, OPC Data Client and more (Click for a list of all Software Toolbox solutions supporting OPC UA). If you’re still not overly familiar with OPC UA, I always recommend having a look at our Exploring OPC UA blog series for a deep dive on OPC UA. You can also request your free copy of our Exploring OPC UA Security Concepts E-Book for OPC UA and cybersecurity topics relevant for any industrial control system.

CertificateSecurity_OPC_UA_250x267Suffice it to say, one of the key principles leading to the creation of OPC UA was having an OPC standard that was independent of Microsoft technology (i.e. COM and DCOM). Another goal was increased security (without relying on DCOM).

If your OPC Classic clients and OPC Classic servers (if you’re using an OPC solutions from Software Toolbox, there is a really good chance that it either already supports OPC UA or is easily convertible to OPC UA, and in most cases OPC UA will already come available with your existing Software Toolbox license), some configuration changes may be all you need to switch to OPC UA natively between your clients and servers.

And, if you cannot change both of your OPC Classic client and server applications to directly use OPC UA (maybe only one supports OPC UA or neither do), you can still enable further future-proofing that eliminates the need for DCOM, using one of several solutions, depending on one of the following use cases:

  • Cogent DataHub® OPC Gateway - Since DataHub supports several variants of OPC (OPC UA, OPC Classic DA and OPC Classic A&E) for both client and server, DataHub can easily convert OPC DA servers into OPC UA servers or OPC DA clients into OPC UA clients (and the same with OPC A&E, since OPC UA Alarms & Conditions is also supported).
    OPC-Gateway-450w
  • TOP Server OPC Client Suite - With its support of dynamic addressing (as opposed to configuring static tags), the OPC Client Suite is a good fit for situations where you are already using dynamic tags with TOP Server or OmniServer which is common with AVEVA™ solutions such as InTouch, System Platform, or Historian. And with a native AVEVA/Wonderware SuiteLink interface, TOP Server can easily convert from OPC DA Classic and even OPC UA to native SuiteLink.
    TopSvr_OPC_Client_Suite_500x486

And each of these alternative solutions offer fully functional free trials and getting started videos so you can pilot test implementations on your system and confirm the desired functionality in advance.

5. Use an OPC Classic Tunnel to Eliminate Remote OPC Classic Connections

Of course, if neither your OPC client or servers support OPC UA, there’s always secure tunneling, where tunneling software is placed on both the OPC Classic client and server machines, the OPC Classic connections are local and the two tunneling nodes pass communications between machines via secure tunnel. And secure tunneling is even more efficient from a bandwidth perspective than remote DCOM connections.

  • Cogent DataHub Secure Tunneling - DataHub has been replacing traditional DCOM connections in OPC DA client to DA server connections for years. With secure, encrypted, DMZ, Proxy-friendly tunneling that automatically recovers from network interruptions, DataHub Tunneling is more reliable and secure than remote DCOM connections can be (and you don’t have to configure DCOM to take advantage of those benefits).

    opcdatunneling

And, again, DataHub is available as a fully functional free trial to test things out and get started.

6. Convert OPC Classic Data (and Other Data) to MQTT

And last, but certainly not least, you may want to consider a migration to MQTT for sharing data remotely. While still a relatively new technology, MQTT adoption is certainly growing. MQTT is a good way to move data from a variety of remote locations to a central location (which can be either cloud-based or premise-hosted) for access by other systems that support acting as an MQTT client. And MQTT doesn’t rely on DCOM, either.

While MQTT is a significant architectural shift from traditional OPC client/server systems, if your goal is gathering data from one or more OPC (and/or other) systems and sharing that data remotely, especially if remote is off-site, MQTT could be a good option. To that end, the Cogent DataHub Smart MQTT SparkplugB Client and MQTT SparkplugB Broker solutions provide secure and automatic conversion from OPC to MQTT, streamlining the process and making the complexities of MQTT transparent to you, the user. And with DataHub’s many other interfaces, you’re not limited to only sharing OPC data via MQTT.datahub-smartbroker

Datahub-MQTT-Client-400wIn conclusion, while this post isn’t intended to be an end-all-be-all for DCOM hardening or alternatives, my goal and hope is to at least make you aware of the issue and what your options are (I’ve honestly never met a single person that had a particularly good DCOM experience), while providing exposure and access to more detailed resources based on your specific needs. I encourage you to explore our DCOM hardening FAQ, DCOM tutorial, and our focus page on resources for eliminating DCOM (including videos, other relevant blog posts and white papers).

Click to Subscribe to SWTB Blog

Kevin Rutherford
Written by Kevin Rutherford

Software Toolbox Technical Blog

We're engineers like you, so this blog focuses on "How to" appnotes, videos, tech team tips, product update announcements, user case studies, and other technical updates.  Subscribe to updates below. Your feedback and questions on posts are always welcomed - just use the area at the bottom of any post.

Subscribe to our Blog

Recent Posts

Posts by Topic

See all