Recent Control & Safety Systems Discussions
Similar Posts
OPC/DCOM/DeltaV Excel Add-In Security
New Microsoft Security Bulletin Administration on DeltaV Systems Guideline Paper
Microsoft Security updates via batch file - batch installer now installs "prerequisites"
Batch Exec failed to verify due to transition rather than termination in an operation. Possible impact?
Updates don't install when using "Microsoft Security Updates Installation via Batch File" - insufficient disk space
Share

Microsoft DCOM security changes and possible impact on DeltaV OPC communication

Here's the link to Microsoft system update: support.microsoft.com/.../kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Microsoft will deploy the complete DCOM security update in phases to give users time to prepare before it becomes mandatory.  Any OPC communications relying on DCOM may stop working when Windows changes start to be enforced in late 2022.  Our sites rely heavily on OPCDA for third party communication. Question is how Emerson is going to handle these changes?

Rushin Patel

5 Replies

  • Randy Pratt
    Emerson is aware of the Microsoft change to the Operating System elevating DCOM communications to packet level integrity. We are in the process of testing any impact in our supported products and the behavior with our complementary products. Once the testing is complete, we’ll publish information for actions our customers can take. What we have learned so far:
    1. This change impacts the communication across the network. Clients and servers on the same workstation are not impacted.
    2. The hotfix that Microsoft is publishing must be applied to both the client and server.
    3. The client DCOM (or OPC) application must initialize correctly to connect to a server. The client may need to be patched. The server does not require a change.
    4. Clients on older/unsupported operating systems may be impacted – the OS of the client machine may have to upgraded.
  • gamella

    In reply to Randy Pratt:

    I've already found an issue that might be related to this.
    Sofpthases, when execution environment is on a non deltav node, did stop working. My particular scenario is workgroup based non-dv computer and domain based deltav system. This was working before automatic updates were applied into non-dv computer.
  • Randy Pratt

    In reply to gamella:

    There are reports from the field that suggest the hardened mode may have been intermittently active between the June and October security updates regardless of registry setting. We have not seen any confirmation of this from Microsoft, but we have noted other OPC vendors stating this. Your symptom raises further suspicion as Microsoft's documentation indicates the hardening mode should not be in play unless the registry settings were set to enable it. An upcoming KBA will recommend testing OPC-DA clients for proper operation with the hardened mode enabled. Note Microsoft's KB5004442 also details the registry settings needed to enable the minimum authentication level of packet integrity.
  • Ray Emerson
    For any interested, the below will parse System logs for the (3) event IDs noted in the KB.

    Some items we've uncovered:
    - AMS System Tray (v13.5)
    - DeltaV OPC Mirror (v13.3.1)

    $servers = (Get-ADComputer -filter {Enabled -eq $True}).name
    $eventIDs = '10036','10037','10038'
    ForEach ($server in $servers) {
    ForEach ($eventID in $eventIDs) {
    Get-EventLog -ComputerName $server -logname System | `
    Where-Object {$_.eventid -eq $eventID} | `
    Select-Object -Property Index,MachineName,Source,EventID,Message
    }
    }
  • Randy Pratt

    In reply to Randy Pratt:

    Knowledge Base Article NK-2200-0042 was published today (15-FEB-2022). However if you've already digested Microsoft's KB5004442, there isn't much new in the KBA.

    As we try to communicate the issue, I've a bad analogy, but perhaps it'll help those not into the details of DCOM. Think of this as similar to your cell phone. The provider is phasing out 3G. Your cell phone is only 3G compatible. Like it or not, you need a new phone to be able to communicate. This isn't much different. Some testing is still on going, but at this point think of DeltaV 13 & 14 as being 4G capable, but your client might not be. If the client can't do 4G, you need a new / updated client. The KBA is about how to set the environment up so that you can test in 4G mode.

    As testing is ongoing, its possible we may still find an issue on the DeltaV side and hotfixes prove necessary. But even if that is the case, if the client isn't capable of the new minimum security mode, you need an updated client. A DeltaV update isn't going to be able to fix an incapable client.

This is the official online community site of the Emerson Global Users Exchange, a forum for the free exchange of non-proprietary information among the global user community of all Emerson Automation Solution's products and services. Our goal is to improve the efficiency and use of automation systems and solutions employed at members’ facilities by sharing our knowledge, experiences, and application information.

User Groups | World Areas | Community Guidelines | Legal Information | Privacy Policy | Contact Community Manager

Website translation provided by Website Translator

© 2015-2022 Emerson Global Users Exchange. All rights reserved.