Managing Windows DCOM Hardening
Hardening changes in DCOM server are required by CVE-2021-26414. These changes will have an impact on client and server applications that use DCOM or RPC.
For more information about the timeline phases, see the Microsoft documentation: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
To allow that all the OPC components can work both with or without enabling the hardening changes DCOM configuration of the environment as well as of the various Desigo CC OPC DA components must be carried out.
NOTE: These configuration changes must be applied only if the interaction between applications is to be carried out between remote machines.
For the communication between OPC DA components to be established, all the OPC components must be able to support the hardening changes in DCOM.
Therefore, this functionality must be enabled only after all the configuration changes required by Desigo CC as well as by the third-party OPC DA components have been made.
The configuration required by third-party OPC DA components will vary based on the OPC DA component in use. For instructions, see the documentation of your third-party OPC DA component.
Prerequisites
- You already carried out the configuration steps described in Establishing Reliable and Secure DCOM Communication.
Please be aware that the OPC DA discovery feature released with the current version of the Desigo CC software—by default—behaves like the hardening changes were enabled. You can intentionally enable or disable the DCOM hardening according to your needs. See the instructions below.
Note that to guarantee the correct operation of the OPC DA discovery functionality, after the last Microsoft timeline, the registry key (RequireIntegrityActivationAuthenticationLevel) must be set to 1 or deleted.
To disable the hardening changes, modify the following registry key on all the machines:
- In the Windows search box on the taskbar, enter REGEDIT to open Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat.
- Do one of the following:
- If the value is already present, select RequireIntegrityActivationAuthenticationLevel.
- If the value is not already present, create it (right-click AppCompat and select DWORD (32-bit) Value) and then select RequireIntegrityActivationAuthenticationLevel.
- To modify the registry key value data, do the following:
a. Right-click RequireIntegrityActivationAuthenticationLevel, select Modify.
b. To disable hardening changes, enter Value Data = 0 in hexadecimal format.
- After setting this registry key, restart the device to apply changes.
The possibility to disable the hardening changes depends on Microsoft timelines.
For more information about the timeline phases, see the Microsoft documentation: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).
If hardening changes are not enabled by default, you can manually force those changes.
For more information, see the Microsoft documentation: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).
1 – Modify the Registry Key
- In the Windows search box on the taskbar, enter REGEDIT to open Registry Editor.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat.
- Do one of the following:
- If the value is already present, select RequireIntegrityActivationAuthenticationLevel.
- If the value is not already present, create it (right-click AppCompat and select DWORD (32-bit) Value) and then select RequireIntegrityActivationAuthenticationLevel.
- To modify the registry key value data, do the following:
a. Right-click RequireIntegrityActivationAuthenticationLevel, select Modify.
b. To enable hardening changes, enter Value Data = 1 in hexadecimal format.
- After setting this registry key, restart the device to apply changes.
2 – Modify OPC DA Server DCOM Settings
- In the Windows search box on the taskbar, enter DCOMCNFG.
- The DCOM configuration process is initiated.
- In the Component Services window, navigate to Console Root > Component Services > Computers > My Computer > DCOM Config.
- In the list of objects in the right window pane, right-click Siemens.OPC.Server.DA and select Properties.
- In the OPC DA Server Properties dialog box, select the General tab.
- From the Default Authentication Level drop-down list, select Packet Integrity.
- Click Apply.
- Click OK.
3 – Set Windows Security Options
To allow the WinCC OA Opc driver to connect to the remote OPCEnum, the following additional DCOM configuration must be performed on the remote machine:
- In the Windows search box on the taskbar, enter Control Panel.
- Select Administrative Tools.
- Select Local Security Policy.
- Navigate to Security Settings > Local Policies > Security Options.
- In the right pane, right-click Network access: Let Everyone permissions apply to anonymous users, and select Properties.
- Choose the Enabled option.
- Click Apply.
- Click OK.
4 – Handle Authentication Issues
If the following error occurs in the System logs (Event Viewer – Windows Logs – System):
Event ID 10038: "Application C:\Siemens\WinCC_OA\....\WCCOAopc.exe with PID %1 is requesting to activate CLSID %2 on computer %3 with default activation authentication level at %4. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."
(%1 – Application PID, %2 – CLSID of the COM class the application is requesting to activate, %3 – Computer Name, %4 – Value of Authentication Level)
You can do one of the following:
- Ignore the logged event until the last Microsoft timeline.
For more information about the timeline phases, see the Microsoft documentation: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). - Perform the following instruction steps to carry out the additional DCOM configuration required on the machine where Desigo CC is installed:
- In the Windows search box on the taskbar, enter DCOMCNFG.
- The DCOM configuration process is initiated.
- In the Component Services window, navigate to Console Root > Component Services > Computers > My Computer.
- Right-click My Computer and select Properties.
- In the My Computer Properties dialog box, select the Default Properties tab.
- From the Default Authentication Level drop-down list, select Packet Integrity.
- Click Apply.
- Click OK.
NOTE: Please be aware that if you modify the machine wide DCOM settings, those changes will affect all the applications on the machine.