Dcom security and Configuration


Configure local security settings



Download 311.88 Kb.
View original pdf
Page7/19
Date08.08.2023
Size311.88 Kb.
#61821
1   2   3   4   5   6   7   8   9   10   ...   19
dcom security and configuration 12-19-2022
Configure local security settings

Configure Windows Firewall settings

Setting encryption level and NTLM negotiation
Parent topic:
DCOM configurations for OPC
Configure local security settings
You must configure the local security settings that affect DCOM authentication. After making these changes, your
Windows platform might require you to restart to put changes to group membership into effect.
Note: Rather than set the Sharing and security model for local access security setting as described here, you can disable simple file sharing using the Windows Explorer options. However, be advised that the local guest account remains enabled, and DCOM connections are not authenticated.
Procedure
1. Click Start > Control Panel > Administrative Tools > Local Security Policy. (Alternatively, to launch the
Local Security Policy control panel, type secpol.msc in the Start menu Search field. Under Security Settings, click Local Policies > Security Options.
3. Configure settings as follows:
Network access
Right-click Sharing and security model for local access and choose Classic – local users authenticate
as themselves. Click OK.
System objects (Windows Server 2003 only)
Default owner for objects created by members of the Administrators group . Right-click and select
Administrators group. Save your settings and exit.
Note: You should also open a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM applications. Furthermore, previous
Page 10
©2022 AVEVA Group plc and its subsidiaries. All rights reserved.
DCOM Security and Configuration
DCOM configurations for OPC

experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other
Windows Server 2008 and Windows 7 include changes designed to enhance the security of the NTLM
authentication protocol, which is used by servers and clients when running in workgroup mode. By default,
these versions of Windows are configured so that they will only communicate with other computers that use the enhanced NTLM security. This can prevent authentication from the OPC client to the OPC server when using local accounts. To ensure interoperability, OPC server and client nodes must be configured so that the NTLM-specific settings on the two computers match. Older Windows versions (at least back to
Windows XP) with up-to-date service packs will support the new settings. Windows 2003 Service Pack supports this setting.
See the OSIsoft KB article for details KB - Configuring NTLM authentication for OPC
Parent topic: Configuring operating system settings
Configure Windows Firewall settings
If Windows Firewall is enabled on your OPC computers, you must allow certain programs through the firewall.
The general guidelines for firewall configuration are to Deny all incoming traffic to the OPC node (recommended Allow incoming traffic from specific OPC nodes to TCP port 135.
• Allow incoming traffic from specific OPC nodes to the specific ephemeral TCP port range.
Procedure
1. Click Start > Control Panel and double-click Windows Firewall.
2. On the Exceptions tab, enable exceptions for the following TCP Port 135 (Click Add port...)
• Ephemeral ports (Click Add port... for each opcenum.exe (Click Add program...)
• Your OPC server executable (Click Add program...)
3. To restrict the source of the incoming TCP connections to the OPC client node exclusively, click Change

Download 311.88 Kb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   ...   19




The database is protected by copyright ©ininet.org 2024
send message

    Main page