Dcom security and Configuration
Configure local security settings
Download 311.88 Kb. View original pdf
|
- Navigate this page:
- Sharing and security model for local access
- Start menu Search
- Administrators
- Parent topic
- Start > Control Panel
| Configure local security settings • Configure Windows Firewall settings • Setting encryption level and NTLM negotiation Parent topic: DCOM configurations for OPC Configure local security settings You must configure the local security settings that affect DCOM authentication. After making these changes, your Windows platform might require you to restart to put changes to group membership into effect. Note: Rather than set the Sharing and security model for local access security setting as described here, you can disable simple file sharing using the Windows Explorer options. However, be advised that the local guest account remains enabled, and DCOM connections are not authenticated. Procedure 1. Click Start > Control Panel > Administrative Tools > Local Security Policy. (Alternatively, to launch the Local Security Policy control panel, type secpol.msc in the Start menu Search field. Under Security Settings, click Local Policies > Security Options. 3. Configure settings as follows: Network access Right-click Sharing and security model for local access and choose Classic – local users authenticate as themselves. Click OK. System objects (Windows Server 2003 only) Default owner for objects created by members of the Administrators group . Right-click and select Administrators group. Save your settings and exit. Note: You should also open a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM applications. Furthermore, previous Page 10 ©2022 AVEVA Group plc and its subsidiaries. All rights reserved. DCOM Security and Configuration DCOM configurations for OPC experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other Windows Server 2008 and Windows 7 include changes designed to enhance the security of the NTLM authentication protocol, which is used by servers and clients when running in workgroup mode. By default, these versions of Windows are configured so that they will only communicate with other computers that use the enhanced NTLM security. This can prevent authentication from the OPC client to the OPC server when using local accounts. To ensure interoperability, OPC server and client nodes must be configured so that the NTLM-specific settings on the two computers match. Older Windows versions (at least back to Windows XP) with up-to-date service packs will support the new settings. Windows 2003 Service Pack supports this setting. See the OSIsoft KB article for details KB - Configuring NTLM authentication for OPC Parent topic: Configuring operating system settings Configure Windows Firewall settings If Windows Firewall is enabled on your OPC computers, you must allow certain programs through the firewall. The general guidelines for firewall configuration are to Deny all incoming traffic to the OPC node (recommended Allow incoming traffic from specific OPC nodes to TCP port 135. • Allow incoming traffic from specific OPC nodes to the specific ephemeral TCP port range. Procedure 1. Click Start > Control Panel and double-click Windows Firewall. 2. On the Exceptions tab, enable exceptions for the following TCP Port 135 (Click Add port...) • Ephemeral ports (Click Add port... for each opcenum.exe (Click Add program...) • Your OPC server executable (Click Add program...) 3. To restrict the source of the incoming TCP connections to the OPC client node exclusively, click Change Download 311.88 Kb. Share with your friends:
|