Using OPC via DCOM with Microsoft Windows
Contents
1. i The Enable DCOM on this computer option is checked ii The Default Authentication Level is set to Connect and iii The Default Impersonation Level is set to Identify My Computer Default Protocols MSDTC COM Securit General Options V Enable Distributed COM on this computer 1 Enable COM Internet Services on this computer Default Distributed COM Communication Properties The Authentication Level specifies security at the packet level Default Authentication Level pore Connect The impersonation level specifies whether applications can determine who is calling them and whether the application can do operations using the client s identity Default Impersonation Level gt Identify T Security for reference tracking can be provided if authentication is used and that the default impersonation level is not anonymous Provide additional security for reference tracking Figure 1 My Computer properties Default Properties settings Microsoft Windows DCOM Configuration Guide 8 MatrikonOPC b On the COM Security tab Figure 2 My Computer General Options Default Properties Default Protocols MSDTC COM Security Access Permissions You may edit who is allowed default access to applications You may also set limits on applications that determine their own permissions Edit Default m Launch and Activation Permissions You may edit who is allowed by default2. Force logoff when logon hours expire Disabled LAN Manager authentication level Send LM amp NTLM responses Network security LDAP client signing requirements Negotiate signing Network security Minimum session security For NTLM SSP based including secure RPC clients No minimum Network security Minimum session security For NTLM SSP based including secure RPC servers No minimum Re Recovery console Allow automatic administrative logon Disabled Recovery console Allow Floppy copy and access to all drives and all Folders Disabled fg Shutdown Allow system to be shut down without having to log on Enabled RS Shutdown Clear virtual memory pagefile Disabled Figure 17 Local Security Settings Network access Sharing and Security model 9 Select the Classic option by double clicking the setting to open the dialogue at Figure 17 and select from the drop down menu Microsoft Windows DCOM Configuration Guide 2 MatrikonOPC Classic local users authenticate as themselves Figure 18 Network access Sharing and security model dialogue 10 Return to the Local Security Policy settings and select User Rights Assignment from the Local Policies group Double click on the Access this computer from the network to open the dialog for this setting Microsoft Windows DCOM Configuration Guide 27 MatrikonOPC Local Security Settings File Action View Help e DB MES Ep Security S
3. E E Public Key Policies Software Restriction Policies m 3 IP Security Policies on Local Computer Policy RE Accounts Administrator account status Accounts Guest account status RS Accounts Limit local account use of blank passwords to console logon only Rg Accounts Rename administrator account Bi Accounts Rename guest account 8S Audit Audit the access of global system objects 8 Audit Audit the use of Backup and Restore privilege HET hut down system immediately if unable to log security audits DCOM Machine Access Restrictions in Security Descriptor Definition Language SDDL syntax 9 DCOM Machine Launch Restrictions in Security Descriptor Definition Language SDDL syntax e Devices Allow undock without having to log on Allowed to Format and eject removable media Prevent users from installing printer drivers Re Devices Restrict CD ROM access to locally logged on user only Re Devices Restrict floppy access to locally lagged on user only B Devices Unsigned driver installation behavior 83 Domain controller Allow server operators to schedule tasks 88 Domain controller LDAP server signing requirements RE Domain controller Refuse machine account password changes Domain member Digitally encrypt or sign secure channel data always Domain member Digitally encrypt secure channel data when possible Digitally sign secure channel data when possible Rg Domain member Disable machine account password chan
4. MatrikonOPC Microsoft Windows DCOM Configuration Windows XP SP3 and Server 2003 SP2 Configuration Guide MatrikonOPC Microsoft Windows DCOM Configuration Windows XP SP3 and Server 2003 SP2 Configuration Guide This manual is a product of Matrikon Inc Matrikon Inc Suite 1800 10405 Jasper Avenue Edmonton AB T5J 3N4 Canada Phone 780 448 1010 Fax 780 448 9191 www matrikonopc com Document Revision History Document Description Author Version Date 2010 05 31 1 0 Converted to new template LB Microsoft Windows DCOM Configuration Guide 2 MatrikonOPC SOFTWARE VERSION Version N A DOCUMENT VERSION Version 4 0 COPYRIGHT INFORMATION Copyright 2010 Matrikon Inc All rights reserved No part of this document may be reproduced stored in a retrieval system translated or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without prior written permission of Matrikon Inc CONFIDENTIAL The information contained herein is confidential and proprietary to Matrikon Inc It may not be disclosed or transferred directly or indirectly to any third party without the explicit written permission of Matrikon Inc LIMITATIONS Matrikon has made its best effort to prepare this manual Matrikon makes no representation or warranties of any kind with regard to the completeness or accuracy of the contents here
5. Help and Support Services Microsoft IMAPI Microsoft Office Access Application Microsoft Office OneNote Privilege Elevation Microsoft Office PowerPoint Slide Microsoft Office Visio previewer Microsoft Office Word 97 2003 Document Microsoft Project Basic microsoft Publisher Application Microsoft Script Editor Microsoft Visio Drawing microsoft WBEM Active Scripting Event Const Microsoft WMI Provider Subsystem Host Microsoft WMI Provider Subsystem Secured Microsoft Aspnet Snapin AspNetManagement gt microsoft Live Folders RichUpload 3 dll mmc Application Class mobsync 7 To edit the settings for each OPC Server browse to the OPC Server right click on it and select Properties a On the General tab Figure 6 set the Authentication Level to Connect Microsoft Windows DCOM Configuration Guide 12 MatrikonOPC General Location Security Endpoints Identity General properties of this DCOM application Application Name MatrikonOPC Server for DataManager Application ID 45007EB0 E431 11D3 8DCD 0050D4890273 Application Type Local Service suthentication Level BTE Service Name MatrikonOPC Server for Data anager Figure 6 DCOM Settings General tab b On the Security tab Figure 7 i Under Launch and Activation Permissions select the Customize radio button Then click on Edit Microsoft Windows DCOM Configuration Guide 13 MatrikonOPC MatrikonOPC Server for Data
6. Pack 1 for Windows 2003 These settings are the same as the DCOM options in the Local Security Policy but are recorded in different Registry keys Due to the fact that Windows applies Local Security Policies with a higher priority than the Registry keys applied by these settings when the Local Security Policy Options for these configuration items are set the Edit Limits buttons will be greyed out or inactive When configuring the DCOM settings for your computer if the Edit Limits buttons are active do not make changes here The procedure for configuring the Local Security Policy Options will negate these changes and will be covered later in this document Microsoft Windows DCOM Configuration Guide 10 MatrikonOPC Launch Permission Default Security Group Or user names Administrators C4004 7 Administrators si ANONYMOUS LOGON 8 Everyone ER INTERACTIVE m ers AMI lt I a Add Remove Permissions for Administrators Allow Deny Local Launch Remote Launch Local Activation Remote Activation Figure 4 Launch and Activation permissions 5 The DCOM settings for each OPC Server object must now be individually configured This serves two 2 purposes a It removes dependence on the Default settings for each server and b It allows for permissions on each Server object to be restricted to only those who require it 6 Under My Computer open the folder labelled DCOM Config Microsoft Windows DCOM Configura
7. card Not defined R Interactive logon Smart card removal behavior No Action RE Microsoft network client Digitally sign communications always Disabled Microsoft network client Digitally sign communications if server agrees Enabled Microsoft network client Send unencrypted password to third party SMB servers Disabled Microsoft network server Amount of idle time required before suspending session 15 minutes Microsoft network server Digitally sign communications always Disabled Microsoft network server Digitally sign communications if client agrees Disabled RE Microsoft network server Disconnect clients when logon hours expire Enabled Network access Allow anonymous SID Name translation Disabled Network access Do not allow anonymous enumeration of SAM accounts Enabled Network access Do not allow anonymous enumeration of SAM accounts and shares Disabled Re Network access Do not allow storage of credentials or NET Passports for network authentication Disabled RE Network access Let Everyone permissions apply to anonymous users Enabled Network access Named Pipes that can be accessed anonymously COMNAP COMNODE SQL QUERY S Network access Remotely accessible registry paths System CurrentControlSet Control Network access Shares that can be accessed anonymously COMCFG DFS haring and security model for local accounts Classic local users authenticate as Do not store LAN Manager hash value on next password change Enabled
8. to launch applications or activate objects You may also set limits on applications that determine their own permissions Edit Default OK Cancel Figure 2 My Computer properties COM Security settings i Under Access Permissions Figure 3 click on the Edit Default button li Add the following Do not remove any others that may already be listed there 1 Anonymous Logon this must be added in order for OPC Enumerator to function correctly 2 Everyone 3 Interactive 4 Network 5 System iii Ensure that both Local and Remote Access are Allowed iv Click on OK Microsoft Windows DCOM Configuration Guide 9 MatrikonOPC Access Permission Default Security Group or user names ANONYMOUS LOGON Everyone INTERACTIVE ER NETWORK m amg lt a Remove LOGON Allow Deny Local Access Permissions for ANONYMOUS Remote Access Figure 3 Access Permissions dialogue v Under Launch and Activation Permissions Figure 4 click on the Edit Default button vi Add the following Do not remove any others that may already be listed there 1 Anonymous Logon 2 Everyone 3 Interactive 4 Network 5 System vii Ensure that Local and Remote Launch and Activation are Allowed viii Click on OK c The Edit Limits Figure 2 option in this tab applies machine wide settings for Access and Launch permissions This is an additional layer of security added in Service Pack 2 for Windows XP and Service
9. Manager Properties General Location Security Endpoints Identity Launch and Activation Permissions C Use Default Customize ap Access Permissions C Use Default fe Customize 4 Configuration Permissions C Use Default Customize Figure 7 DCOM Settings Security tab li Add the following users 1 Everyone 2 Interactive 3 Network and 4 System iii Ensure that all Users have Local and Remote Launch and Activation permissions Allowed selected Then click OK iv Under Access Permissions select the Customize radio button Then click Edit v Add the following users 1 Everyone 2 Interactive 3 Network and 4 System vi Ensure that all Users have Local and Remote Access permissions Allowed selected Then click OK c On the Endpoints tab Figure 8 ensure that Connection oriented TCP IP is entered in the list Microsoft Windows DCOM Configuration Guide 14 MatrikonOPC MatrikonOPC Server for DataManager Properties General Location Security Endpoints Identity DCOM Protocols and endpoints Connection oriented TCP IP a Remove Properties Clear Description The set of protocols and endpoints available for use by clients of this DCOM server The system defaults entry indicates that the default set of DCOM protocols and endpoints for the machine will be used Figure 8 DCOM Settings Endpoints tab d On the Identity ta
10. Region Office Hours Contact Information North America 8 00 5 00 1 877 OPC 4 ALL UTC GMT 7 hours MST a ya Europe Africa 49 221 969 77 0 9 00 am 5 00 pm UTC GMT 1 hours CET Request OPC Support Australia Asia 61 2 4908 2198 9 00 am 5 00 pm UTC GMT 10 hours AEST Request OPC Support Toll free regional numbers coming soon Table 2 MatrikonOPC Support Regional Contact Information For after hours support in all regions please use either of the following numbers There is no extra charge from MatrikonOPC for calling their after hours support numbers Microsoft Windows DCOM Configuration Guide 6 MatrikonOPC Region Contact Information 1 780 231 9480 1 780 264 6714 Table 3 After Hours Support All Microsoft Windows DCOM Configuration Guide 7 MatrikonOPC DCOM Security Settings OPC uses ActiveX COM and DCOM to communicate so we must set the DCOM permissions to allow communication between DCOM objects 1 Go to Start gt Run or use the Windows Key R shortcut to launch the Run window 2 Type in dcomcnfg and click OK 3 In the Component Services window navigate to Console Root gt Component Services gt Computers by clicking on the icons to the left of the headings Right click on My Computer and select Properties 4 On the My Computer Properties window ensure that the following settings are properly configured a On the Default Properties tab Figure 1
11. U MATRIKON SharePoint External U Administrators LOCAL SERVICE NETWORK SERY ASPNET Administrators SERVICE Administrators Administrators MATRIKONIchris carew SUPPORT NETWORK SERVICE ASPNET vmware Guest Administrator Figure 19 Local Security Settings User Rights Assignment 11 Ensure that all Users are added to this setting to allow access from the network Microsoft Windows DCOM Configuration Guide 28 MatrikonOPC Access this computer from the network Properties Local Security Setting Explain This Setting Access this computer from the network Administrators ASPNET Backup Operators Everyone Power Users Users Add User or Group A Modifying this setting may affect compatibility with clients services and applications For more information see Access this computer from the network 0823659 App Figure 20 Network access properties dialogue 12 Your DCOM is now setup to accept all incoming connections Notes e These settings will allow full access to your system This allows for easy communication in most cases It also has set the security on your system to its lowest state From this state you can narrow down the security settings so that only those who require access to your system are permitted This is most easily accomplished using Groups rather than individual users Microsoft Windows DCOM Configuration Guide MatrikonOPC Limitatio
12. as follows e Introduction this introductory chapter e DCOM Security Settings provides information about setting DCOM permissions to allow communication between DCOM objects e Windows Firewall guides you through the steps needed to disable the firewall if required Microsoft Windows DCOM Configuration Guide 5 MatrikonOPC e Data Execution Prevention guides you through the steps needed to disable the DEP if required e Local Security Policy guides you through the steps needed to establish communication if you are using workgroups e Limitations outlines connectivity limitations References This document references information found within the following documents sites e www matrikonopc com e Wwww opcsupport com e www opsfoundation org Document Terminology Table 1 provides a list of definitions for terms throughout this document Term Abbreviation Description DCOM Distributed Component Object Model DEP Data Execution Prevention ACL Access Control List Table 1 Terms and Definitions Contacting Support The MatrikonOPC Customer Services department Www opcsupport com is available 24 hours a day seven days a week Contact MatrikonOPC Support using the information below or send an email support MatrikonOPC com For Monday to Friday daytime support requests contact MatrikonOPC Support using the regional phone numbers provided in Table 2
13. au AAEE E mao MAI apata 6 Doc ment Terminology eperen EA EEEa ua 6 Contacting SUPONE e 1088548 rates onee WAA KAA AAEE EE N A ANENE AREAN EEE A AE Annies 6 DCOM Security SINGE awa 8 Additional Security Notes iwa 16 Windows Firewall iia 17 Data Execution Prevention cccccccceccecceneeeeeeseneeeeeeeeeeeeseeseeneeeeeeeeneeeeeeeaeeaaeaseaseaaeaneanennenee 18 Local Security Policy ccccsccceeeeeeeeeeeeeeeeeeeeeeeeeeaeeeeaeeseaeeeeaeeauaseasaseeeaeeaeaseaeaseeuaseeeaeeeeansonae 21 LiMITATIONS csc cccveeiacneisensccsecceccccccendcsdasastccucasshoseuseuiecsassnascuesecdeceaseaiasssneticcensesisssnuasasccaceedus 30 Table of Tables Table 1 Terms and DefINITIONS isc cseccccccscccceececeeseeteeeesceceeeeeeceeeec dee nee concerne ces e see see sue seseses 6 Table 2 MatrikonOPC Support Regional Contact Information sssssssssssssnuununnnnnnnnnnnnnnnn 6 Table 3 After Hours Support nn nnnnsnnnnnnnnennnnnnennnnnennnnnnnnnnnnnnnnnnnnnnennnnnennnnnennennnnnnnne 7 Microsoft Windows DCOM Configuration Guide 4 MatrikonOPC Introduction All OPC communication is based on Microsoft COM Component Object Model technology OPC uses DCOM Distributed Component Object Model technology for remote communication so you must properly configure DCOM permissions to achieve successful communication between OPC components The included information will guide you through the process of setting DCOM to enable all communication This is preferabl
14. b Figure 9 ensure that your server is running as This user whether the object is registered as a Service or as an Application If it is running as a service the System account can also be used The recommended setting for this is to run as a service using the System Account identity It is highly recommended that the Launching User identity not be used Click OK to return to the Component Services window Microsoft Windows DCOM Configuration Guide 15 MatrikonOPC MatrikonOPC Server for DataManager Properties General Location Security Endpoints Identity Which user account do you want to use to run this application e Th This user The system account services only 4 Figure 9 DCOM Settings Identity tab Additional Security Notes By setting the Identity to Interactive User it is necessary to remain logged on at this computer in order for the application to run This may represent a contradiction of your Company IT Security Policy If this software must be run as an application it may be more effective to run as This User and provide credentials for the application to use In order for the server objects to be properly discovered by the clients the OPC Server List Utility OPC Enumerator must also be properly configured for DCOM This utility is a COM server and must allow connection and access by the clients as well Microsoft Windows DCOM Configuration Guide 16 Mat
15. d before suspending session 15 minutes B 3 IP Security Policies on Local Computer Re Microsoft network server Digitally sign communications always Disabled Re Microsoft network server Digitally sign communications if client agrees Disabled Re Microsoft network server Disconnect clients when logon hours expire Enabled 83 Network access Allow anonymous SID Name translation Disabled Re Network access Do not allow anonymous enumeration of SAM accounts Enabled Re Network access Do not allow anonymous enumeration of SAM accounts and shares Disabled letwork access Do not allow storage of credentials or NET Passports for network authentication Disabled Enabled no Network access Named Pipes that can be accessed anonymously COMNAP COMNODE SQL QUERY S Re Network access Remotely accessible registry paths System CurrentControlSet Control RS Network access Shares that can be accessed anonymously COMCFG DFS RS Network access Sharing and security model for local accounts Classic local users authenticate as BP Network security Do not store LAN Manager hash value on next password change Enabled Network security Force logoff when logon hours expire Disabled Network security LAN Manager authentication level Send LM amp NTLM responses RS Network security LDAP client signing requirements Negotiate signing Re Network security Minimum session security for NTLM SSP based including secure RPC clients No minimum RS Network secu
16. e for testing diagnostic purposes Users often experience difficulties with OPC communication on Microsoft Windows XP SP2 and Windows 2003 SP1 due to advanced security settings This document describes how to disable these security settings to allow OPC communication This document also relates to Microsoft Windows SP3 and Microsoft Windows Server 2003 SP2 Note This guide shows you how to enable all DCOM permissions for A OPC communications It is up the user to disable unused DCOM settings to prevent unauthorized entry to their OPC server Required Software This guide has been written and tested for all versions of e Microsoft Windows XP Pro e Microsoft Windows Server 2003 Some settings such as Data Execution Prevention DEP are relevant for only Windows XP SP2 and SP3 and Windows Server 2003 SP1 SP2 and R2 Who Should Use This Guide This guide is designed for users who are attempting to connect to an OPC server using DCOM and cannot establish connectivity Overview of Guide This document uses icons to highlight valuable information Remember these icons and what they mean as they will assist you throughout the manual This symbol denotes important information that must be acknowledged Font displayed in this color and style indicates a hyperlink to the BOLD applicable associated information within this document or if applicable any external sources The chapters in this document are structured
17. ess permission configuration in the Default DCOM settings i Anonymous Logon ii Everyone iii Interactive iv Network and v System b Click OK to return to the main security policy window Microsoft Windows DCOM Configuration Guide 22 MatrikonOPC Access Permission Security Limits Group or user names ANONYMOUS LOGON g i Everyone ER INTERACTIVE ER NETWORK ER SYSTEM Permissions for ANONYMOUS LOGON Allow Deny Local Access Remote Access Figure 14 Access Permissions dialogue 5 Repeat this process for the DCOM Machine Launch restrictions settings 6 Return to the Local Security Policy Options and select the Network Access Let Everyone permissions apply to anonymous users Microsoft Windows DCOM Configuration Guide 23 MatrikonOPC Local Security Settings File Action View Help e B GP Security Settings Policy Security Setting C Account Policies 88 Interactive logon Require smart card Not defined 5 Local Policies Rg Interactive logon Smart card removal behavior No Action C8 Audit Policy P Re Microsoft network client Digitally sign communications always Disabled a ea Re Microsoft network client Digitally sign communications if server agrees Enabled ae apne res Re Microsoft network client Send unencrypted password to third party SMB servers Disabled D Software Restriction Policies Rg Microsoft network server Amount of idle time require
18. ettings Account Policies 9 Local Policies 9 Audit Policy H A User Rights Assignment GX Security Options BE Public Key Policies Software Restriction Policies a IP Security Policies on Local Computer Policy he Act as part of the operating system Re Add workstations to domain Rg Adjust memory quotas For 4 process Re Allow logon through Terminal Services Re Back up Files and directories Re Bypass traverse checking Ra Change the system time Re Create a pagefile Rd Create a token object Ra Create global objects AS Create permanent shared objects Rg Debug programs Rg Deny access to this computer from the network Rs Deny logon as a batch job Re Deny logon as a service 2P Deny logon locally EF Deny logon through Terminal Services Re Enable computer and user accounts to be tru B Force shutdown from a remote system RE Generate security audits Rg Impersonate a client after authentication Rg Increase scheduling priority AS Load and unload device drivers Re Lock pages in memory RS Log on as a batch job Rg Log on as service BS Log on locally Security Setting Everyone ASPNET Administrators LOCAL SERVICE NETWORK SERV Administrators Remote Desktop U Administrators Backup Operators Everyone Administrators Users P Administrators Power Users Administrators Administrators INTERACTIVE SER Administrators SUPPORT _388945a0 Guest MATRIKON SharePoint External
19. ges RE Domain member Maximum machine account password age 2 Domain member Require strong Windows 2000 or later session key RS Interactive lagon Display user information when the session is locked Re Interactive logon Do not display last user name RS Interactive logon Do not require CTRL ALT DEL Figure 12 Local Security Settings dialogue 4 Click on the Edit Security button Microsoft Windows DCOM Configuration Guide Security Setting Enabled Disabled Enabled Administrator Guest Disabled Disabled Disabled O BAG BAD 4 CCDCLC ANNA j O BAG BAD 4 CCDCLCSWRP BA Enabled Administrators Disabled Disabled Disabled Silently succeed Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Not defined Disabled Not defined Zil MatrikonOPC DCOM Machine Access Restrictions in Security Descript EE Template Security Policy Setting Explain This Setting sy DCOM Machine Access Restrictions in Security Descriptor Definition Language SDDL syntax If the security descriptor is left blank after defining the policy setting in the template the policy setting will not be enforced Security descriptor CCDCLC IUJA CCDCLC NUJA CCDCLC SY Figure 13 Machine Access Restrictions dialogue a Ensure that the following Users Groups are added and that all have Local and Remote Access allowed this is the same as the Acc
20. in and accepts no liability of any kind including without limitation warranties of merchantable quality satisfactory quality merchantability and fitness for a particular purpose on those arising by law statute usage of trade course of dealing or otherwise Matrikon shall not be liable for any losses or damages of any kind caused or alleged to be caused directly or indirectly from this manual LICENSE AGREEMENT This document and the software described in this document are supplied under a license agreement and may only be used in accordance with the terms of that agreement Matrikon reserves the right to make any improvements and or changes to product specifications at any time without notice TRADEMARK INFORMATION The following are either trademarks or registered trademarks of their respective organizations Matrikon and MatrikonOPC are trademarks or registered trademarks of Matrikon Inc OTHER MatrikonOPC is a division of Matrikon Inc Microsoft Windows DCOM Configuration Guide 3 MatrikonOPC Table of Contents INntrOQUCTION s scans aansnnsanamcmnn me nnnn men sen ane a bone sans s n ananas rere cree Teer Tree akeni nania 5 R quired SoftWare sasecusiceeecitaent ninian pri EIEEE E EDDAN a amor EEEE ire Kwa 5 Who Should Use This Guide wi ii uitiin n TE NOEN EEEE ETERNE 5 Overview Of Gude va soomi nania noaee RSR sone avd RS A RP ential E ON E EET Doa 5 References fie sea Enea En E maai WAA vaca AAEN OE AAA be
21. ns DCOM was developed to function in a specific environment where the following conditions applied All machines and users belonged to the same domain There were no firewalls enabled on any machines or network devices All communication media were highly reliable There were no bandwidth restrictions THE All of these were typical of a LAN setup in an average office environment However this bears little resemblance to the process control networks of today Multiple domains IT policies that dictate that the Windows Firewall be enabled on all machines geographically dispersed sources of data and a multitude of other factors all make OPC communication based on DCOM extremely complicated to configure and still maintain security Tunnelling technology can provide successful DCOM communications across firewalls or domains workgroups Using a single TCP port to the remote computer issues involving workgroups domains and firewalls no longer hamper OPC communication This allows you to establish OPC communication without sacrificing security The MatrikonOPC Tunneller is one of our most popular products because of it s ease of use automatic reconnection system and time savings in implementation that it offers Contact your Account Manager or visit our website at www matrikonopc com for more information on this and other MatrikonOPC solutions Microsoft Windows DCOM Configuration Guide C0
22. rikonOPC Windows Firewall For Service Pack 2 to Windows XP and Service Pack 1 for Windows 2003 the Windows Firewall was turned on by default This software firewall will prevent DCOM communication by blocking the remote calls that DCOM requires for such functions as DNS name resolution function calls and callbacks to name a few Exceptions can be made in the firewall either by application or by port number This process is described elsewhere for example in the Windows Help files The issue is that DCOM requires such a wide range of ports be opened that there are serious gaps left in the security of the system thus configured It is more effective to turn the firewall off if permitted by your company IT policy If not permitted contact your IT department and request permission to temporarily turn it off in order troubleshoot the system To turn off the Windows Firewall follow this procedure 1 Navigate to Windows Control Panel 2 Double click on the Windows Firewall icon 3 Set the Windows Firewall to OFF and click OK Microsoft Windows DCOM Configuration Guide 17 MatrikonOPC Data Execution Prevention Data Execution Prevention DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system In Microsoft Windows XP Service Pack 2 SP2 Microsoft Windows Server 2003 SP1 and Microsoft Windows XP Tablet PC Edition 2005 DEP is enforced b
23. rity Minimum session security for NTLM SSP based including secure RPC servers No minimum Rg Recovery console Allow automatic administrative logon Disabled Rg Recovery console Allow floppy copy and access to all drives and all folders Disabled 83 Shutdown Allow system to be shut down without having to log on Enabled RE Shutdown Clear virtual memory pagefile Disabled Figure 15 Local Security Settings Network Access 7 Enable this option by double clicking on the setting to open the dialogue in Figure 13 and selecting Enable Microsoft Windows DCOM Configuration Guide 24 MatrikonOPC Network access Let Everyone permissions apply to ano EE Local Security Setting Explain This Setting e Network access Let Everyone permissions apply to anonymous users Enabled lt _____ Disabled Figure 16 Network Access Everyone permissions 8 Return to the Local Security Policy Options and select the Network Access Sharing and security model for local users Microsoft Windows DCOM Configuration Guide 25 MatrikonOPC Local Security Settings File Action View Help e ABRA E Security Settings Policy 4 Security Setting 9 Account Policies 9 Local Policies E Audit Policy User Rights Assignment 49 Security Options E Public Key Policies Software Restriction Policies a amp IP Security Policies on Local Computer Re Interactive logon Require smart
24. the Performance Options tab Figure 11 select the Turn on DEP for essential Windows programs and services only option This is the setting we refer to as OFF Microsoft Windows DCOM Configuration Guide 19 MatrikonOPC threats How does it work 9 Turn on DEP for essential Windows programs and services onl Turn on DEP for all programs and services except those I select Figure 11 Performance Options dialogue 4 Click OK If you changed the setting it will be necessary to restart the operating system Microsoft Windows DCOM Configuration Guide 20 MatrikonOPC Local Security Policy If you are using workgroups instead of domains the following steps may need to be taken in order to establish communication Please note that these changes may compromise the security of your system speak with your network administrator if you have any concerns 1 Navigate to Start gt Settings gt Control Panel gt Administrative Tools gt Local Security Policy at Navigate to Security Settings gt Local Policies gt Security Options Figure 12 Right click on DCOM Machine Access Restrictions and select Properties or double click on this option Either method will open the Properties dialogue Local Security Settings File Action View Help Be E Security Settings 9 Account Policies Local Policies w G Audit Policy C9 User Rights Assignment 9 Security Options
25. tion Guide ital MatrikonOPC Component Services File Action View Window Help e Amx Tae m H Console Root zi B Component Services amp Computers My Computer COM Applications f DCOM Config w Distributed Transaction f Running Processes Q Event Viewer Local Services Local LegitCheckControl logagent Logical Disk Manager Administrative Service Logical Disk Manager Remote Client Machine Debug Manager MAPI Mail Previewer Matrikon Data Manager Matrikon FileCollector Matrikon Historical Data Transporter Matrikon ODBC Server for OPC Configuration Matrikon OPC Chameleon Server Matrikon OPC Server for DDE Matrikon OPC Server for Performance Monitor Matrikon OPC Server for System Manager MatrikonOPC Desktop Historian MatrikonOPC Messenger MatrikonOPC Server for DataManager MatrikonOPC Server For Desktop Historian MatrikonOPC Server For Events MatrikonOPC Server For GE PLCs MatrikonOPC Server For Modbus Devices MatrikonOPC Server For Simulation and Testing MatrikonOPC Server for SNMP MatrikonOPC Server For Triconex PLCs MatrikonOPC Tunneller CSC MatrikonOPC Tunneller HDA CSC MatrikonOPC Vigilant Figure 5 DCOM Objects list Media Player mediaCatalogDB OLE DB Provider Ep MediaCatalogWebDB Provider Microsoft Agent Server 2 0 microsoft Clip Organizer Microsoft Document Explorer Microsoft Equation 3 0 Microsoft Excel Application Microsoft Graph Application microsoft
26. y hardware and by software DEP will also prevent many installations from running and has been known to cause other software issues Most MatrikonOPC software released since late 2006 will detect the DEP setting and if turned on terminate the installation process Most MatrikonOPC Software released since August 2009 no longer A N requires DEP to be turned off Please verify this by reading the release notes and user manual for each software installed If the software has been installed with DEP turned on the following steps must be performed 1 Turn DEP OFF 2 Restart the Operating System 3 Uninstall the OPC software 4 Re install the OPC software To turn DEP OFF perform the following steps 1 From your Start menu right click on My Computer and select Properties 2 On to the Advanced tab Figure 10 under Performance click the Settings button Microsoft Windows DCOM Configuration Guide 18 MatrikonOPC System Properties i System Restore i Automatic Updates General Computer Name Hardware You must be logged on as an Administrator to make most of these changes Performance Visual effects processor scheduling memory usage and virtual memory User Profiles Desktop settings related to your logon Settings Startup and Recovery System startup system failure and debugging information Settings Environment Variables Error Reporting Figure 10 System properties dialogue 3 On
Download Pdf Manuals
Related Search