DCOM security

In response to the
Microsoft
 Distributed Component Object Model (DCOM) Hardening patch (MS KB5004442), the minimum DCOM authentication level used by
Rockwell Automation
 products was raised to Packet Integrity.
IMPORTANT:
Installing this product’s latest version with earlier unpatched versions of other
FactoryTalk
 products or products using Classic OPC-DA connections may cause a loss of connectivity due to the difference in DCOM authentication level used. For additional information, see the Knowledgebase Document ID: IN39461 - Microsoft DCOM Hardening Information TOC.
Microsoft
 releases the DCOM Hardening patch in response to CVE-2021-26414. This patch elevates the minimum DCOM authentication level that is required to establish a DCOM connection. DCOM is used by many
Rockwell Automation
 products and may be affected by the change that is made by the
Microsoft
 patch. For additional information about the affected
Rockwell Automation
 products, see the Knowledgebase Document ID: PN1581 - Product Notification 2022-01-001 - Rockwell Automation products unable to establish proper DCOM connection after installing Microsoft DCOM Hardening patch (MS KB5004442).
Impact on
Rockwell Automation
 software
If computers within your network have installed the
Microsoft
 patch, the DCOM authentication level of the client or server applications on these computers is required to update to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, while the authentication levels of applications on other computers are not. As a result, the communication across the two types of computers will fail.
TIP:
  • The distributed third-party OPC-DA server and client applications are also impacted.
  • To ensure proper communication, the authentication level of both the server application and the client application should be at the same level.
Solutions
We recommend installing the latest version of
Rockwell Automation
 software or installing the patch for the corresponding software version.
To avoid the compatibility issue, make sure all
Rockwell Automation
 applications you use are updated.
If any computers within your network have not installed the
Microsoft
 patch or some
Rockwell Automation
 applications are not updated to the latest version, you can lower the DCOM application authentication level on all computers. To do so, do one of the following:
  • Remove the Microsoft DCOM patch from all workstations in the system.
  • Switch the DCOM authentication level on all workstations in the system using one of the following methods:
    • Use the
      Registry Editor
      .
      • FactoryTalk software
        • Open
          Registry Editor
          , select
          HKEY_LOCAL_MACHINE
           >
          SOFTWARE
           >
          WOW6432Node
          >
          Rockwell Software
           >
          FactoryTalk
          >
          Platform
          , right-click
          DCOMAuthLevel
          >
          Modify
          , and then edit the
          Value data
          to 1. The default value after upgrading the
          Rockwell Automation
           application is 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) and the former value is 1 (RPC_C_AUTHN_LEVEL_PKT_NONE).
      • RSLinx Classic software
        • Open
          Registry Editor
          , select
          HKEY_LOCAL_MACHINE
           >
          SOFTWARE
           >
          WOW6432Node
          >
          Rockwell Software
           >
          RSLinx
          , right-click
          DCOMAuthLevel
          >
          Modify
          , and then edit the
          Value data
          to 1. The default value after upgrading the
          Rockwell Automation
           application is 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) and the former value is 1 (RPC_C_AUTHN_LEVEL_PKT_NONE).
    • Use the
      DCOMAuthLevel
       utility.
      • Open
        DCOMAuthLevel
        , select
        None (for backward compatibility)
        , and then click
        OK
        .
        TIP:
        • The authentication level lower than 5 will not be supported after installing the
          Microsoft
           patch.
        • This utility will adjust the Authentication level for FactoryTalk Services Platform, FactoryTalk Live Data OPC-DA client interface, FactoryTalk Linx Gateway OPC-DA server interface, and RSLinx Classic’s OPC-DA server interface.
        • The Windows Component Services DCOM configuration setting is not used or supported by FactoryTalk software or RSLinx Classic.
Workgroup and domain settings after the applications’ authentication level is required to be updated
After the applications authentication level is adjusted to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, ensure all users in your network that contains
Rockwell Automation
 software and third-party OPC-DA meet the requirement of DCOM for RPC_C_AUTHN_LEVEL_PKT_INTEGRITY:
  • When working within a workgroup, each user needs to be created locally on each computer involved in the connection. Furthermore, each workstation in a workgroup must have the same user accounts, with the same usernames and passwords on each machine for authentication to occur. A blank password is not valid in most cases. In some cases, even though the user account has administrative privileges, you might have DCOM authentication problems, and we recommend that you use the Windows built-in administrator account to get it to work.
  • When working within a domain, local users and groups are not required to be added to each computer. If working within a domain is preferred, a network administrator may have to implement the changes.
For more information, see the Microsoft documentation How to Configure a Domain User or Group.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal