OptoOPC Server and the Microsoft DCOM hardening patch

Just wondering if the fine folks at Opto22 have checked to see if the Microsoft DCOM Hardening patch (CVE-2021-26414) will have any adverse affects to OptoOPCServer connectivity? I have been getting notifications from other vendors (Rockwell Automation especially) indicating issues with certain primary applications in their ecosystem not working correctly with the hardening patch activated. I suspect that the OPCServer is probably not widely used in the community, but for me it is fairly significant as this is the route we have been using for years to get Opto22 processor data into our PI Historian. Yes, there are more modern ways to do this, like with API calls and JSON parsing, but for us users that still have a large base of SNAP processors and I/O out there, OptoOPCServer is also still the best option for allowing multiple PACDisplay clients to connect to individual processors. I searched a little through the forums and didn’t see this question addressed previously, so I thought I would put it out there and see if this may be an issue waiting to bite me. Thanks in advance for any responses.

Hi Kevin. Welcome to the Opto forums.

I am going to reach out to our software engineers and get back to you on this one…

Thanks Ben! I appreciate it.

Thank you Kevin for Bringing this up. OPC is integral to my system for similar reasons (multiple Display stations and Data dissemination). I look forward to good news on this one…Thanks Beno!

Not much of an update, but since this topic seems to be on a few peoples minds… our engineers here said it took a little longer to setup the test environment, but that’s almost done. I believe the plan was to get everything running pre-patch, then apply the patch and test again.
Thanks for your patience.

1 Like

@kprickett and @LadyBNC
The initial in-house testing on this DCOM hardening change is complete.

The short version is that there are no code changes required to either OptoOPCServer or PAC Display, just some settings on the users computers need to be changed followed by a reboot.

The slightly longer version is that we found just how ‘old’ the OptoOPCServer users guide is and we need to update it for these new settings at the very least.

How urgent is this for those of you looking to apply this hardening patch?
https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c

Since Microsoft still allows the hardening patch to be bypassed by disabling a registry key (at least until March of 2023), I don’t view this as urgent at this point. If I find, at some point, that our OptoOPCServer installation has stopped working after my company pushes out some OS patches, I will have one of our Sys Admins disable the offending registry key on the affected PCs.

Thanks for digging into this and helping to alleviate my concern over it. Keep us apprised.

Just out of curiosity… are there any plans to update the OptoOPCServer to OPC-UA? I figure with the addition of the native OPC-UA server functionality into the groov EPIC there’s probably no plans, but it doesn’t hurt to ask, right? Thanks again!

Looking forward to a solution that gets us past March myself.
27 SNAP controllers 6 M4’s, 8 S2’s, 6 RIO’s…hundreds of data points collected via OPCServer with the LCM4’s

PAC Project 10.5 is supposed to have the updated OPC Server.

You could test it any time from now.
In other words, fear not the March timeline, just follow the updated doc.

Found some resolution in the “DCOM Config/Opto22.OpcServer.2” properties.
In the “Identity tab” the “Interactive User” was checked. Do not know why. Checked the “Launching User” instead and restarted Server. Perfect performance since.
Application is XLReporter by Sytech. Hats off to those guys for finding it.