COM settings in OPC Classic client components: Difference between revisions

From OPC Labs Knowledge Base
 
(23 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:COM/DCOM]] [[Category:Troubleshooting]]
[[Category:COM/DCOM]] [[Category:Troubleshooting]]
This article describes the internal effects of the various COM security settings.  
This article describes the internal effects of the various COM security settings. For easier orientation, the behavior with the default settings is in '''bold'''.


See also: [[COM management]]
= QuickOPC version 2022.1 and later =
= QuickOPC version 2022.1 and later =


Parameters from EasyXXClient.SharedParameters.EngineParameters.ComSecurityParameters are used for operations on OPCEnum, and also for operations on target OPC servers.
Parameters from {{Style=Identifier|ComManagement.Instance.Configuration.SecurityParameters}} are used for COM security initialization.  


'''COM and proxy initialization:'''
Parameters from {{Style=Identifier|ComManagement.Instance.Configuration.InstantiationParameters}}, possibly overridden by values from {{Style=Identifier|EasyXXClient.SharedParameters.MachineParameters.ComInstantiationParameters}}, are used for instantiation of OPCEnum object.  
* Without UseCustomSecurity: CoInitializeSecurity is not called. CoSetProxyBlanket is not called.
* With UseCustomSecurity (the default): CoInitializeSecurity is called. CoSetProxyBlanket is called (only in NativeClient).


'''CoInitializeSecurity parameters:'''
Parameters from {{Style=Identifier|ComManagement.Instance.Configuration.InstantiationParameters}}, possibly overridden by values from {{Style=Identifier|EasyXXClient.SharedParameters.ClientParameters.ComInstantiationParameters}}, are used for instantiations of target OPC servers.


pSecDesc = NULL.
== COM and proxy initialization ==
* Without {{Style=Identifier|UseCustomSecurity}}: CoInitializeSecurity is not called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
* '''With {{Style=Identifier|UseCustomSecurity}} (the default): CoInitializeSecurity is called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called (only in NativeClient).'''


* Without AllowImpersonateClient (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2).  
== CoInitializeSecurity parameters ==
* With AllowImpersonateClient: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).
In many cases, the COM security will be initialized before we get a chance to call CoInitializeSecurity. In such cases, the call to CoInitializeSecurity will fail silently (with a record in Windows Event Log).


* Without TurnOffCallSecurity (the default): dwAuthnLevel = Common authentication level (see below).
'''pSecDesc = NULL.'''
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1) (see [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-call-security Turning Off Call Security]).  


AccessFromThreadToken is ignored.
* '''Without {{Style=Identifier|AllowImpersonateClient}} (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2).'''
* With {{Style=Identifier|AllowImpersonateClient}}: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).


'''CoSetProxyBlanket parameters''':  
* '''Without {{Style=Identifier|TurnOffCallSecurity}} (the default): dwAuthnLevel = common authentication level (see below).'''
* With {{Style=Identifier|TurnOffCallSecurity}}: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1).<ref name="TurnOffCallSecurity"/>


dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.
{{Style=Identifier|AccessFromThreadToken}} is ignored.


'''COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)''':
== IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters ==
* Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.
* With TurnOffActivationSecurity: NULL (see [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security Turning Off Activation Security]).


'''Common authentication level:'''  
'''dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.'''
* Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).
 
* With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].
== COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) ==
* Without {{Style=Identifier|OverrideDefaultSecurity}}: NULL.
* '''With {{Style=Identifier|OverrideDefaultSecurity}} (the default):'''
** '''Without {{Style=Identifier|TurnOffActivationSecurity}} (the default): dwAuthnSvc = RPC_C_AUTHN_WINNT; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = common authentication level (see below); dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.'''
** With {{Style=Identifier|TurnOffActivationSecurity}}: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity"/><ref>Due to the fact that the effective parameters are determined by taking {{Style=Identifier|ComManagement.Instance.Configuration.InstantiationParameters}} and possibly overriding them by values from {{Style=Identifier|EasyXXClient.SharedParameters.MachineParameters.ComInstantationParameters}} or {{Style=Identifier|EasyXXClient.SharedParameters.ClientParameters.ComInstantationParameters}}, you need to set {{Style=Identifier|TurnOffActivationSecurity}} at multiple places.</ref>
 
== Common authentication level ==
* '''Without {{Style=Identifier|EnsureDataIntegrity}} (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).'''
* With {{Style=Identifier|EnsureDataIntegrity}}: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).<ref name="EnsureDataIntegrity">For [https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)].</ref>


= QuickOPC versions up to 2021.3 =
= QuickOPC versions up to 2021.3 =
Line 38: Line 46:
The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.  
The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.  


For operations on OPCEnum, parameters from EasyXXClient.SharedParameters.MachineParameters are used. For operations on target OPC servers, parameters from EasyXXClient.SharedParameters.ClientParameters are used.  
For operations on OPCEnum, parameters from {{Style=Identifier|EasyXXClient.SharedParameters.MachineParameters}} are used. For operations on target OPC servers, parameters from {{Style=Identifier|EasyXXClient.SharedParameters.ClientParameters}} are used.  
 
== COM and proxy initialization ==


'''COM and proxy initialization:'''
'''CoInitializeSecurity is not called.'''
CoInitializeSecurity is not called
* Without {{Style=Identifier|UseCustomSecurity}}: IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
* Without UseCustomSecurity: CoSetProxyBlanket is not called.
* '''With {{Style=Identifier|UseCustomSecurity}} (the default): IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called.'''
* With UseCustomSecurity (the default): CoSetProxyBlanket is called.


'''CoInitializeSecurity parameters:'''
== IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters ==
* Without TurnOffCallSecurity (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc =  CSecurityDescriptor::InitializeFromThreadToken()>
* '''Without {{Style=Identifier|TurnOffCallSecurity}} (in ComInstantiationParameters) (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).'''
* With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3); pSecDesc = NULL
* With {{Style=Identifier|TurnOffCallSecurity}} (in ComInstantiationParameters): dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).<ref name="TurnOffCallSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-call-security Turning Off Call Security]. For this to work, the server must also specify  None for its authentication level.</ref>


'''CoSetProxyBlanket parameters''': dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.
== COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty) ==
* '''Without {{Style=Identifier|TurnOffActivationSecurity}} (the default): NULL.'''
* With {{Style=Identifier|TurnOffActivationSecurity}}: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.<ref name="TurnOffActivationSecurity">See [https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security Turning Off Activation Security]. For this to work, the server must specify Everyone for Default Launch Permissions.</ref>.


'''COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)''':
<br/>
* Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE;
* With TurnOffActivationSecurity: NULL
(see https://docs.microsoft.com/en-us/windows/win32/com/turning-off-activation-security?redirectedfrom=MSDN)

Latest revision as of 13:05, 17 November 2023

This article describes the internal effects of the various COM security settings. For easier orientation, the behavior with the default settings is in bold.

See also: COM management

QuickOPC version 2022.1 and later

Parameters from ComManagement.Instance.Configuration.SecurityParameters are used for COM security initialization.

Parameters from ComManagement.Instance.Configuration.InstantiationParameters, possibly overridden by values from EasyXXClient.SharedParameters.MachineParameters.ComInstantiationParameters, are used for instantiation of OPCEnum object.

Parameters from ComManagement.Instance.Configuration.InstantiationParameters, possibly overridden by values from EasyXXClient.SharedParameters.ClientParameters.ComInstantiationParameters, are used for instantiations of target OPC servers.

COM and proxy initialization

  • Without UseCustomSecurity: CoInitializeSecurity is not called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
  • With UseCustomSecurity (the default): CoInitializeSecurity is called. IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called (only in NativeClient).

CoInitializeSecurity parameters

In many cases, the COM security will be initialized before we get a chance to call CoInitializeSecurity. In such cases, the call to CoInitializeSecurity will fail silently (with a record in Windows Event Log).

pSecDesc = NULL.

  • Without AllowImpersonateClient (the default): dwImpLevel = RPC_C_IMP_LEVEL_IDENTIFY (2).
  • With AllowImpersonateClient: dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).
  • Without TurnOffCallSecurity (the default): dwAuthnLevel = common authentication level (see below).
  • With TurnOffCallSecurity: dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1).[1]

AccessFromThreadToken is ignored.

IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters

dwAuthnLevel and dwImpLevel are the same as those used with CoInitializeSecurity.

COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)

  • Without OverrideDefaultSecurity: NULL.
  • With OverrideDefaultSecurity (the default):
    • Without TurnOffActivationSecurity (the default): dwAuthnSvc = RPC_C_AUTHN_WINNT; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = common authentication level (see below); dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.
    • With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.[2][3]

Common authentication level

  • Without EnsureDataIntegrity (the default): RPC_C_AUTHN_LEVEL_CONNECT (2).
  • With EnsureDataIntegrity: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).[4]

QuickOPC versions up to 2021.3

The information only applies to NativeClient implementation. The NetApiClient implementation uses different settings, and they cannot be changed by the parameters described here.

For operations on OPCEnum, parameters from EasyXXClient.SharedParameters.MachineParameters are used. For operations on target OPC servers, parameters from EasyXXClient.SharedParameters.ClientParameters are used.

COM and proxy initialization

CoInitializeSecurity is not called.

  • Without UseCustomSecurity: IClientSecurity::SetBlanket (or CoSetProxyBlanket) is not called.
  • With UseCustomSecurity (the default): IClientSecurity::SetBlanket (or CoSetProxyBlanket) is called.

IClientSecurity::SetBlanket (or CoSetProxyBlanket) parameters

  • Without TurnOffCallSecurity (in ComInstantiationParameters) (the default): dwAuthnLevel = Always RPC_C_AUTHN_LEVEL_CONNECT (2); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).
  • With TurnOffCallSecurity (in ComInstantiationParameters): dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE (1); dwImpLevel = RPC_C_IMP_LEVEL_IMPERSONATE (3).[1]

COAUTHINFO* pAuthInfo in COSERVERINFO* passed to CoCreateInstanceEx (when machine name is not empty)

  • Without TurnOffActivationSecurity (the default): NULL.
  • With TurnOffActivationSecurity: dwAuthnSvc = RPC_C_AUTHN_NONE; dwAuthzSvc = RPC_C_AUTHZ_NONE; pwszServerPrincName = NULL; dwAuthnLevel = RPC_C_AUTHN_LEVEL_NONE; dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; pAuthIdentityData = NULL; dwCapabilities = EOAC_NONE.[2].


  1. 1.0 1.1 See Turning Off Call Security. For this to work, the server must also specify None for its authentication level.
  2. 2.0 2.1 See Turning Off Activation Security. For this to work, the server must specify Everyone for Default Launch Permissions.
  3. Due to the fact that the effective parameters are determined by taking ComManagement.Instance.Configuration.InstantiationParameters and possibly overriding them by values from EasyXXClient.SharedParameters.MachineParameters.ComInstantationParameters or EasyXXClient.SharedParameters.ClientParameters.ComInstantationParameters, you need to set TurnOffActivationSecurity at multiple places.
  4. For KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414).