{"id":1236,"date":"2022-11-17T09:56:16","date_gmt":"2022-11-17T09:56:16","guid":{"rendered":"https:\/\/integrationobjects.com\/blog\/?p=1236"},"modified":"2026-04-03T16:04:39","modified_gmt":"2026-04-03T16:04:39","slug":"windows-dcom-server-security-feature-bypass","status":"publish","type":"post","link":"https:\/\/integrationobjects.com\/blog\/windows-dcom-server-security-feature-bypass\/","title":{"rendered":"DCOM Server Security Feature Bypass (CVE-2021-26414): What OPC Users Need to Know"},"content":{"rendered":"

If you run OPC Classic applications in your industrial environment, Microsoft’s DCOM server security hardening update is one of the most operationally significant Windows changes in recent years. Since March 2023, it has been permanently enforced with no way to roll it back – meaning any OPC Classic setup that hasn’t adapted is either broken or running with a workaround that introduces its own risk.<\/p>\n

This article explains what the DCOM server security change is, which OPC systems it affects, how to check if your environment is impacted, and what your options are for maintaining secure, uninterrupted OPC communication.<\/p>\n

What is DCOM server security and why does it matter for OPC?<\/h2>\n

DCOM (Distributed Component Object Model) is the Microsoft protocol that OPC Classic – including OPC DA, OPC HDA, and OPC AE – has relied on since its inception for remote communication between OPC clients and servers. DCOM handles the remote procedure calls that allow an OPC client on one machine to read data from an OPC server on another.<\/p>\n

The problem is that DCOM was designed in the 1990s for closed, trusted networks. As industrial environments became more interconnected, and as attackers became more sophisticated, DCOM’s security model became a liability. Microsoft identified a specific vulnerability, CVE-2021-26414<\/a>, which allowed attackers to bypass DCOM server security authentication, potentially gaining unauthorized access to systems communicating over DCOM.<\/p>\n

The fix was a mandatory hardening update that raises the minimum authentication level required for all DCOM connections. This is the right security decision, but it breaks any OPC Classic client application that doesn’t support the new Packet Level Integrity requirement.<\/p>\n

The Microsoft DCOM hardening rollout timeline<\/h2>\n

Microsoft released the DCOM server security hardening update (KB5004442<\/a>) in stages to give organizations time to adapt:<\/p>\n\n\n\n\n\n\n
\n

Update release<\/span><\/b>\u00a0<\/span><\/p>\n<\/td>\n

Behavior change<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
June 8, 2021<\/span><\/b>\u00a0<\/span><\/td>\n\n

Hardening changes disabled by default but with the ability to enable them using a registry key.<\/span>\u00a0<\/span><\/p>\n<\/td>\n<\/tr>\n

June 14, 2022<\/span><\/b>\u00a0<\/span><\/td>\nHardening changes enabled by default but with the ability to disable them\u202fusing a registry key.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
March 14, 2023<\/span><\/b>\u00a0<\/span><\/td>\nHardening changes enabled by default with no ability to disable them. By this point, you must resolve\u202fany compatibility issues with the hardening changes and applications in your environment.<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

As of March 2023, there is no registry key, no group policy, and no workaround that disables this enforcement. Every Windows machine that receives standard updates is now running with DCOM hardening active.<\/p>\n

Which OPC systems are affected?<\/h2>\n

The DCOM server security hardening update affects the OPC client side<\/strong> of any remote OPC Classic connection. Specifically, when the Windows update is applied to the machine running the OPC server, any OPC client connecting to it remotely must support Packet Level Integrity – the elevated authentication level Microsoft now requires.<\/p>\n

You are affected if:<\/p>\n