ACM and Windows DCOM Hardening

Owned by ken Halprin
Last updated: Jun 15, 2023
4 min read

ACM versions 9.1 and later will automatically work with versions of Windows that have been updated with the DCOM Hardening security changes. However, ACM settings can be customized to run ACM 9.1 and later without the DCOM Hardening changes.

If you have ACM 9.0.X or earlier, you can also use ACM settings to run ACM in a DCOM Hardened environment.

The following instructions involve changes to the Windows registry. Any changes to the Windows registry must be made with extreme care.

ACM 9.1 and Later

By default, ACM 9.1 and later will work automatically with the DCOM Hardening changes.

Disabling DCOM Hardening in ACM 9.1 and Later

If you do not want ACM 9.1 to use security settings compatible with DCOM Hardening, the behavior can be changed by modifying the Windows registry. The instructions below describe the changes required to disable the DCOM Hardening related changes in ACM 9.1

  1. Open the Windows Registry Editor and navigate to the ACM settings location

    1. For the 64-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\Software\AutomationSolutions\Communication Manager

    2. For the 32-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AutomationSolutions\Communication Manager

  2. Click ‘Communication Manager’ in the left-hand tree view so it is the selected node.

  3. Right-click in the empty space of the right-hand pane and select ‘New > DWORD (32-bit) Value’

  4. Change the name to: AuthLevel

  5. Change the value to: 2

The new entry should look like the one shown below, outlined in red:

ACM must be re-started for the changes to take affect.

Re-enabling DCOM Hardening in ACM 9.1 and Later

If you disabled DCOM Hardening in ACM 9.1 and later according to the instructions above and wish to re-enable it, you can do so following these instructions.

  1. Open the Windows Registry Editor and navigate to the ACM settings location

    1. For the 64-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\Software\AutomationSolutions\Communication Manager

    2. For the 32-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AutomationSolutions\Communication Manager

  2. Click ‘Communication Manager’ in the left-hand tree view so it is the selected node.

  3. Right click the entry named “AuthLevel” in the right-hand pane.

  4. Click “Delete”

ACM 9.1 Security Settings in the Windows Event Log

ACM 9.1 writes the security settings in use to the Windows Event Log. You can verify the settings in use by starting ACM and then looking at the event details of the entry from the source “asiDATA”.

When the DCOM Hardening changes are enabled, the event log details show:

Using DCOM settings: Authentication = Packet Integrity (5); Impersonation = Identify (2)

When the DCOM Hardening changes are disabled, the event log details show:

Using DCOM settings: Authentication = Connect (2); Impersonation = Identify (2)

ACM 9.0.X and Earlier

Enabling DCOM Hardening changes for ACM 9.0.X and Earlier

If you have a version of ACM prior to 9.1 and need to use security settings compatible with DCOM Hardening, you can enable the DCOM Hardening support by modifying the Windows registry. The instructions below describe the changes required to enable DCOM Hardening support in ACM versions prior to 9.1

  1. Open the Windows Registry Editor and navigate to the ACM settings location

    1. For the 64-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\Software\AutomationSolutions\Communication Manager

    2. For the 32-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AutomationSolutions\Communication Manager

  2. Click ‘Communication Manager’ in the left-hand tree view so it is the selected node.

  3. Right-click in the empty space of the right-hand pane and select ‘New > DWORD (32-bit) Value’

  4. Change the name to: AuthLevel

  5. Change the value to: 5

The new entry should look like the one shown below, outlined in red:

 

Disabling DCOM Hardening in ACM 9.0.X and Earlier

If you enabled DCOM Hardening in ACM 9.0.X and earlier according to the instructions above and wish to disable it again, you can do so following these instructions:

  1. Open the Windows Registry Editor and navigate to the ACM settings location

    1. For the 64-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\Software\AutomationSolutions\Communication Manager

    2. For the 32-bit version of ACM, the location is:

      1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AutomationSolutions\Communication Manager

  2. Click ‘Communication Manager’ in the left-hand tree view so it is the selected node.

  3. Right click the entry named “AuthLevel” in the right-hand pane.

  4. Select “Modify”

  5. Change the value to: 2

  6. Click OK

The new entry should look like the one shown below, outlined in red:

AUTOSOL Enterprise Server (AES)

AES no longer receives updates or fixes. It will not be compatible with DCOM Hardening changes.

 

For assistance, please submit a ticket via our Support Portal, email autosol.support@autosoln.com or call 281.286.6017 to speak to a support team member.