Upload
gjaggu
View
214
Download
0
Embed Size (px)
Citation preview
7/31/2019 Dcom_info
1/7
45
Network Service (if running the IIS Default App Pool under this
identity above I recommend changing it to Local System)
The reason for setting all of these file permissions is that these
accounts read/write/and delete files from the FileTransfer folder as part
of how the HFM Web application works.
UnderLocal Users and Groups (execute lusrmgr.msc from the run
prompt)
Assign the userGOLDBAR\hypadmin to the Distributed COM Users
group. This needs to be set explicitly even thoughGOLDBAR\hypadmin is in the Local Administrators group and I
noticed that this was not setup on the servers.
Verify that the GOLDBAR\hypadmin account is in the Local
Administrators group on each server.
UnderLocal Policy (execute secpol.msc from the run prompt)
Assign the userGOLDBAR\hypadmin the following rights:
1. Act as Part of Operating System
2. Bypass Traverse Checking
3. Log on as Batch Job
4. Allow Logon Locally
Only a subset of these rights are currently assigned on the servers and
all four of these should be set on each of the servers listed above.
1. DCOM Security Considerations verify the following:
7/31/2019 Dcom_info
2/7
46
UnderDCOM Configuration (execute dcomcnfg from the run prompt)
UnderComponent Services > My Computer, right-click on> Properties
On the tab Default Properties:
1. Verify Enable Distributed COM on thiscomputeris checked
2. Default Authentication level should be None3. Default Impersonation Level should be Identify
On the tab COM Security
7/31/2019 Dcom_info
3/7
47
UnderAccess Permissions
1. Click on Edit Limits
Verify that the users Everyone, Anonymous Logon,
Interactive, and System have been added and given Allow for
Local and Remote Access. There may be a lot of other
users/groups already listed here as well.
2. Repeat the process forEdit Default
Verify that the users Everyone, Anonymous Logon,
Interactive, and System have been added and given Allow for
Local and Remote Access. There may be a lot of other
users/groups already listed here as well.
7/31/2019 Dcom_info
4/7
48
UnderLaunch and Activation Permissions
1. Click on Edit Limits
Verify that the users Everyone, Anonymous Logon,
Interactive, and System have been added and given Allow for
Local and Remote Access. There may be a lot of other
users/groups already listed here as well.
2. Repeat the process forEdit Default
Verify that the users Everyone, Anonymous Logon,
Interactive, and System have been added and given Allow for
7/31/2019 Dcom_info
5/7
49
Local and Remote Access. There may be a lot of other
users/groups already listed here as well.
2. DCOM Application Considerations verify the following:
UnderDCOM Configuration (execute dcomcnfg from the run prompt)
UnderComponent Services > My Computer > DCOM Config
For each of the DCOM applications (Note not all of these
applications are on each server) do the following:
HsvDataSource
HsxServer
HfmServer
HfmService
Right-click on the DCOM application and select properties.
7/31/2019 Dcom_info
6/7
50
1. Select the Identity Tab:
2. Select This User
3. Input the DCOM userGOLDBAR\hypadmin
4. Click on apply
Next, select Security
7/31/2019 Dcom_info
7/7
51
Add the users Everyone, Anonymous Logon, Interactive, and
System to Launch and Activation Permissions and give them the
following rights:
Add the users Everyone, Anonymous Logon, Interactive, and
System to Access Permissions and give them the following rights:
Add the users Everyone, Anonymous Logon, Interactive, and
System to Configuration Permissions and give them the following
rights (except for special they dont need it and probably cannot
select it anyway):