Why Are You Still Using DCOM?

DCOM Hardening is Permanent in 20d 2h 52m 23s

On this page, you will learn what DCOM is, the impact of Microsoft's DCOM hardening rollout, why you need to migrate to modern technologies, how solutions like OPC UA and tunneling help, and resources for Software Toolbox products that can help, as well as resources to get to latest versions of Software Toolbox products and stop using DCOM.

What is DCOM & Why Change?

DCOM or Distributed COM is a Microsoft technology created a long time ago, that enables Windows based software applications to communicate with each other over a network. OPC Classic DA, HDA, & A&E use DCOM to allow OPC clients and servers to communicate to each other over networks.  OPC Classic clients and servers on the same computer do not use DCOM.  

Microsoft still supports DCOM, though there are many newer technologies that replace it, including OPC UA, secure tunneling, and even IoT solutions like MQTT can be used.  Microsoft is continuing to harden the security in DCOM in response to the CVE-2021-26414 vulnerability, with their KB5004442 update. Those changes are making it more challenging for OPC Classic clients and servers to interoperate reliably over a network and between different Windows versions. Misconfigured DCOM can create other horrors as we have covered in our technical blog posts about DCOM horrors. DCOM is not firewall friendly as it uses a range of ports, and does not handle network interruptions and recovery in a graceful manner. Modern cybersecurity risks demand that users modernize the technologies used for software to communicate over networks. 

Impact of Microsoft DCOM Hardening

We cover this in more detail in our dedicated DCOM Hardening Technical FAQ but the bottom line is if you are using OPC DA clients and OPC DA servers that are connected client to server over a network, you are likely going to be affected.  

Microsoft will start enforcing the use of Packet Level Integrity security in DCOM that is installed with the KB5004442 update starting with the June 14th, 2022 Windows updates on Windows Server 2008 and higher, Windows 10, and Windows 11.  You'll be able to disable the requirement via a registry entry until March 2023, afterwards it will be mandatory. 

If you are on older operating systems, you may not be affected but by running an unsupported OS and software, your business is taking non-trivial cybersecurity risks. You must consider updating, switching to OPC UA, and or using an OPC tunneling solution BEFORE March 14, 2023.

Request our free detailed Remote OPC DA Classic (DCOM) Configuration Guide with recommendations for DCOM setting configuration on OPC DA client and server machines where connections will be remote (client and server on separate machines).

OPC UA Doesn't Use DCOM & Software Toolbox products are ready!

The OPC UA standards do NOT use DCOM, instead using a secure, TCP/IP single port based, encrypted, authenticated connection between clients and servers.  If your OPC applications support OPC UA, you need to be migrating to using those interfaces.  Software Toolbox's OPC products support OPC UA, many since 2008, and are robust, resilient and ready to switch over from DA. 

Not Ready for OPC UA? - You still need to move away from using DCOM, Consider Tunneling

With Microsoft's efforts to harden the security on DCOM, which ramp up to the March 2023 planned change that will make hardened DCOM security mandatory on currently supported operating systems, you need to make a plan to update your OPC Classic applications.  Whether that's to use OPC UA or replace DCOM with some form of tunneling, you need to make a plan.  Your Software Toolbox products already support OPC UA, but you should be on the latest version, which is a free upgrade if you are on support & maintenance, which can also be re-instated if needed. 

Below is a list of resources on various ways to eliminate DCOM from your control systems.  

Software Toolbox Product DCOM Hardening Resources

• Free Detailed Remote OPC DA Classic (DCOM) Configuration Guide
• TOP Server 
• OPC Quick Client (Included with TOP Server)
• OmniServer
• OPC Data Client
• Cogent DataHub 
• OPC Router 
• OPC Data Logger 
• SLIK-DA 

Products to Help Remove DCOM

Free trials of all products are available from their respective webpages. How to videos and guides are listed next on this page. 

• DataHub OPC Gateway - convert OPC DA servers into OPC UA servers, OPC DA clients into OPC UA 
  
  
• DataHub Secure Tunneling - replace DCOM in OPC DA client to DA server connections with secure, encrypted, DMZ, Proxy-friendly tunneling that automatically recovers from network interruptions
  
  
• TOP Server OPC Client Suite - great for situations where you are using dynamic tags with TOP Server or OmniServer, such as with AVEVA solutions such as InTouch, System Platform, or Historian. 

Avoiding DCOM Using Secure Tunnelling

1. Whitepaper - Four Reasons to use Tunneling
   
   
2. Video - Configuring DataHub Tunneling to avoid DCOM (4:49)
   
   
3. Blog - Reasons Why DCOM Across Windows Version is a Nightmare

Avoiding DCOM Using OPC UA

1. Video - Securely Connecting DataHub to an OPC UA Server (8:37)
   
   
2. Video - Using DataHub OPC Gateway to Convert between OPC DA and OPC UA Systems (4:21)
   
   
3. Video - Introduction to OPC UA Seminar (7:54)
   
   
4. Blog - Accessing Wonderware System Platform via OPC UA

Reasons to Avoid DCOM - DCOM Horror Stories

1. Blog - How Misconfigured DCOM Locked User Out of Windows Registry
   
   
2. Blog - How Misconfigured DCOM Disabled Windows Search Functionality

Reasons to Avoid DCOM - IT/OT Convergence

1. Blog - OPC Connectivity & Security Concerns in IT/OT Convergence

Using IIoT instead of DCOM for Remote Integration

1. Video - Configuring DataHub V9 as an MQTT Broker (5:13)
   
   
2. Video - MQTT Client - OPC to Azure IoT Hub in DataHub V9 (5:01)
   
   
3. Video - MQTT Client - Publishing and Subscribing to MQTT Brokers in DataHub V9 (6:18)
   
   
4. Video - Integrating IIoT Data using the TOP Server MQTT Client Driver (14:27)