Windows XP Service Pack 2 (SP2) Support Advisory Center...Windows XP Service Pack 2 (SP2) Support Advisory Center DCOM for XP SP2 Setup Tutorial - Step 1 Windows Firewall Settings

Windows XP Service Pack 2 (SP2) Support Advisory Center

DCOM for XP SP2 Setup Tutorial - Step 1Windows Firewall Settings

The Windows Firewall settings are found by going to Start- Control Panel andchoosing the Windows Firewall icon. The screen below is the first one shown.

We suggest using the Windows Firewall and setting it to the On settingshown below.If you choose "Don't allow exceptions" you will not be able to use DCOM ordo any remote OPC Connections. We suggest leaving this unchecked.If you choose Off you are turning of the firewall and you can skip the part ofthe DCOM configuration. This is NOT RECOMMENDED except for testingpurposes or for internal networks which you know you have otherwisesecured from attack. You assume responsibility if you turn off the WindowsFirewall.

04/06/2010 Firewall

softwaretoolbox.com/…/firewall.html 1/6

Next Click on the Exceptions Tab to perform two key steps:

1. Enable incoming and outgoing DCOM network access by opening TCP/IPport 135.

2. Enable OPCEnum.exe access to DCOM3. Allow each OPC client and server access to network resources

The screen below already has opcenum.exe and some OPC client and OPC Serverapplications enabled as exceptions, and a port opened for DCOM.

04/06/2010 Firewall


Step 1A - Enabling DCOM:

Should be performed on: Client and Server Computers

DCOM isn't associated with any one executable (unlike your OPC clients and OPCservers) so we will enable it by adding a port. Click on the the Add Port button.

You need to fill out this dialog box exactly as shown above for DCOM towork. Port 135 is the standard Port number that DCOM uses. TCP must be

04/06/2010 Firewall


checked. When done click OK.

If you choose to click on the Change scope button in the Add a Port Dialog, werecommend the setting above. Any change to this requires advanced knowledge ofthe network system you are using and is beyond the scope of this tutorial.

Step 1B - Enable OPCEnum.exe

Should be performed on: OPC Server Computers at a minimum.

OPCEnum.exe is a standard OPC application installed by nearly every OPCserver on the market. It should be in the \Windows\System32\ directory ifpresent. The purpose of OPCEnum.exe is to allow remote OPC clients connect to acomputer with OPC servers installed and ask the computer the question"Give me a list of your available OPC servers" and get a response. The OPCclient can then pick the desired OPC server from the list and obtain thenecessary data from the remote PC to then be able to establish aconnection to that remote OPC server.If this step is not performed, or is not successful on any PCs where youhave OPC servers installed, then the symptoms will be that your OPC clientPCs will not be able to browse the remote PC for a list of available OPCservers.

For the reasons above, It is critical that OPCEnum.exe be added as an exception.

To Add OPCEnum.exe, from the Windows Firewall Exceptions tab, click the AddProgram button:

Then in the resulting dialog you can browse to \Windows\System32\ and pickOPCEnum.exe to add as an exception.

Step 1C - Enable OPC Client and OPC Server Applications

Should be performed on: Client Computers for OPC Client Applications,

04/06/2010 Firewall


p p pp ,Server computers for OPC Server applications.

This step is where your list of OPC client and server applications is important. Users of Software Toolbox products, Click for a list of applications, their filenames,and install locations.

1. The applications may already appear in the exceptions dialog but need to bemarked as exceptions - they would appear potentially using their "friendlyname"

2. If the applications are not already in the Exceptions list, you will need toknow the name of the application executable (EXE) and its location on yourhard drive so you can add it to the list.

Adding an Application:

As an example, we'll use an OPC client application that needs to be added to theexceptions list. These steps are the same whether you are adding an OPC clientor OPC server application.

On the Windows Firewall Exceptions tab, click on the Add Programs button. Usingthe dialog below, you can browse to the target application EXE on your hard driveto add it to the Exceptions list. No changes are required to the areas of setupaccessed by the Change Scope button unless your vendor specific instructionssuggest that you make a change there.

Special Notes:

If you have written your own OPC client application using all of your owncode or using a rapid development tool like our OPC Data Control ActiveXyou may need to add two different client side executables:

First, the name you assigned to your compiled application willdetermine what application you need to add on the client side.

04/06/2010 Firewall


Second, if you need to be able to test in debug mode, remember thatyou will need to add the name of the EXE that corresponds to yourdevelopment environment needs to be added. For example, if you useVB6, you need to also add VB6.exe if you plan to work in VisualBasic 6 and test/debug a client application you are writing.

If you have written your own OPC server application, the same conceptsapply. You must add the name of your application and potentially theexecutable that corresponds to your development environment.

By adding your OPC server as an exception, you automatically take care ofallowing traffic between the OPC server and the devices it communicateswith because granting an exception in the Windows Firewall opens networktraffic for that application for all ports.

Summary:

All EXE programs using OPC remotely should be added. It is critical that you add the port for DCOM, grant an exception forOPCEnum.exe, and grant exceptions for any OPC Clients or OPC Serversthat you want to do any remote OPC Connections with. You have to do this on any Server or Client PC that has XP SP2 installed. Any affected programs that are not on the exceptions list to start with willhave to be added by clicking on the Add Program button.

Once this is all complete you can click OK and exit out of the Windows Firewallsettings. You are done with the first step.

Disclaimer:

The information contained in these pages is based on our testing with the release candidate of XPService Pack 2. Although this information is based on "best practices" as judged by the authors,Software Toolbox and the authors of this document assume no responsibility or direct, indirect, orconsequential liability for its accuracy or suitability for a users particular application. The reader isresponsible for proper application to their particular situation and for the decision to deploy WindowsXP SP2 in their environment.

| Home | XPSP2_BestPractices | XPSP2_DCOMSetup | XPSP2_ProductStatus

P: 1-888-665-3678 (US-Sales) or 704-849-2773 (Support & International), F: 704-849-6388148A East Charles Street, Matthews, North Carolina, USA 28105

Copyright Software Toolbox, Inc., 1996-2006, All Rights Reserved Worldwide.

No Copying or Reposting Without Written Permission of Software Toolbox Inc.

04/06/2010 Firewall


04/06/2010 Firewall


Windows XP Service Pack 2 (SP2) Support Advisory Center

DCOM for XP SP2 Setup Tutorial - Step 2 Limits in DCOM Security within DCOM Config

This setup step is only required on the computer where your OPC server is running.

The second step requires you to go to the Windows Start button and click Run.

Open the Component Services tree as shown below.

04/06/2010 DCOMLimits

softwaretoolbox.com/…/dcomlimits.html 1/5

Right Click on My Computer Icon and choose properties

The dialog above will open. Click on the COM Security tab to configure the defaultDCOM settings for this PC



The new components with XP SP2 are the two Edit limit buttons shown above.

The critical action here is to add Anonymous Logon for both Access and LaunchPermissions or opcenum.exe will not work and your OPC client will not be able tobrowse for remote OPC servers on the affected machine.

The reason for this is that OPCEnum.exe (which is an OPC Foundation suppliedapplication), is written to initialize security to allow Anonymous connections - itdoes not look for specific users.

Both Access and Launch Permissions must be set to allow everything. Subsets ofEveryone can be used but must not be more restrictive than the settings set foundunder the Edit Default buttons for both Access and Launch Permissions or they willoverride them.

Note: If you have, or are using a web-based OPC client hosted on awebserver for example, then you should add the user-account that yourwebserver/web-application uses. The default account that IIS uses is:

IUSR_

Click Edit Limits under both Access and Launch Permissions then add the usersas shown below. You may also have additional users included based on your userspecific application requirements.



Notes:

Also make sure that the advanced user and group settings have the right



usernames and groups added to allow the Other PC's to connect

Disclaimer:

The information contained in these pages is based on our testing with the release candidate of XPService Pack 2. Although this information is based on "best practices" as judged by the authors,Software Toolbox and the authors of this document assume no responsibility or direct, indirect, orconsequential liability for its accuracy or suitability for a users particular application. The reader isresponsible for proper application to their particular situation and for the decision to deploy WindowsXP SP2 in their environment.

| Home | XPSP2_BestPractices | XPSP2_DCOMSetup | XPSP2_ProductStatus



No Copying or Reposting Without Written Permission of Software Toolbox Inc.



DCOM Configuration Tutorial OPC SERVER Computer Recommended Settings

DCOM Tutorial Home

This section provides general guidance for configuring DCOM to allow OPC software to interoperate.

If you are not already familiar with the DCOM Config utility and how to launch it, please review theDCOM Config Utility Introduction.

Client Side DCOM Configuration Properties: Default Properties Tab

1. First, the Enable Distributed COM on this computer MUST be checked.

2. The Default Authentication Level should be set to None.

3. The Default Impersonation Level should be set to Identity

OPC SERVER Side DCOM Configuration Properties: Default Security Tab

It is on this tab that you tell the operating system who you will allow to access the OPCServer objects.

04/06/2010 Svr_DCOMDefaults

opcactivex.com/…/svr_dcomdefaults.h… 1/4

OPC SERVER Side DCOM Configuration Properties: Default Security Tab - Default AccessPermissions Dialog

It is on this dialog that you will set who (i.e. users that remote OPC Clients are running under)will have access to the server.

We recommend you add the following accounts to this list:

EveryoneInteractiveSystemNetworkGuestsAnonymous



IWAM_ *IUSR_ *

For each account listed above, set the "Type of Access" property to FULL CONTROL.

* only applicable if IIS (Internet Information Services) will be mak ing/receiving OPC calls.

OPC SERVER Side DCOM Configuration Properties: Default Security Tab - Default LaunchPermissions Dialog

Add the same accounts as previously stated, configuring each account to receive theALLOW setting for the "Launch Permission".

OPC SERVER Side DCOM Configuration Properties: Default Security Tab - DefaultConfiguration Permissions Dialog

Again you will add the same accounts as previously stated, this time each account willreceive the FULL CONTROL permission for the "Type of Access".

OPC SERVER Side DCOM Configuration Properties: Default Protocols Tab



Generally speaking, the protocols listed on here are not so important.. but if you have morethan 1 listed, you should ensure TCP/IP is at the top of the list.

Warning: contents of this tutorial are Copyright Software Toolbox, Inc. 2001-2002, and may not be reproduced in electronicor written form without written permission of Software Toolbox Inc. Anyone found copying copyrighted material from this sitefor use on another site wil l be prosecuted. You are welcome to link to this site from your site. The information in this articleis accurate to the best of our professional judgement at the time of writing but is subject to change

| HOME | PRODUCT DETAILS | FREE DEMO | PRICING & LICENSING | RELATED PRODUCTS | SUPPORT | ABOUT US





OPC Server Computer Recommended Settings - Step 2

This section covers the DCOM settings for the OPC server computer that are specific to your OPCserver. You should already have the DCOM Config Utility running and go to the Applications tab.

Server Specific Properties: General Tab

On the General Tab, we recommend that you leave the Authentication level to None.

We do NOT recommend that you change this setting unless you know what you are doing or aredirected to by one of our support engineers.

Server Specific Properties: Location Tab

Make sure that the Run application on this computer is the ONLY check box checked.

04/06/2010 Svr_OPCSvrSpecific

opcactivex.com/…/svr_opcsvrspecific.h… 1/3

Server Specific Properties: Security Tab

Because we have configured our default/global DCOM security permissions in such a way thatreduces the security, we can simply specify that this server will inherit its permissions from thesedefault settings. The window shown below is what you would typically see:

All 3 of these options should be set to USE DEFAULT ... PERMISSIONS.

Server Specific Properties: Identity Tab

On the Identity tab, you specify under what user account you want the OPC server to run under. This is probably one of the MOST important settings for the OPC server in some cases.



Choose the Interactive user, or choose "This user" and specify an account. Absolutely DO NOTchoose the "Launching user".

TOP Server: If running without any user logged in on the OPC server computer, we recommend thatyou run the server as a service - this is done by clicking on Tools->Options from the TOP server. This automatically requires that it runs with the System account, which is good.

INGEAR OPC Servers: Running as a service is not available, so if you will not have someone loggedinto the computer when remote clients are connecting (i.e no OPC client running on the machinewhere the OPC server is located), we recommend running as a named user who has appropriaterights to Launch the OPC server.

Server Specific Properties: Endpoints Tab - No changes required on this tab.

Warning: contents of this tutorial are Copyright Software Toolbox, Inc. 2001-2002, and may not be reproduced in electronicor written form without written permission of Software Toolbox Inc. Anyone found copying copyrighted material from this sitefor use on another site wil l be prosecuted. You are welcome to link to this site from your site. The information in this articleis accurate to the best of our professional judgement at the time of writing but is subject to change.






OPC Server Computer Recommended Settings - Step 3

OPCENUM is responsible for providing a list of OPC Servers available on the computer whereOPCENUM is installed. That's all.

Only configure OPCENUM when you are experiencing problems when browsing the available OPCServers on a computer.

OPCEnum Properties: General Tab

On the General Tab, we recommend that you leave the Authentication level to NONE.

We do NOT recommend that you change this setting unless you know what you are doing or aredirected to by one of our support engineers.

OPCEnum Properties: Location Tab

Make sure that the Run application on this computer is the ONLY check box checked.

04/06/2010 Svr_OPCEnum

opcactivex.com/…/svr_opcenum.html 1/3

OPCEnum Properties: Security Tab

Again, our default/global DCOM security permissions (configured here) are sufficient where we cansimply specify that all 3 of the options below accept the Defaults.

OPCEnum Properties: Identity Tab

On the Identity tab, you specify under what user account you want the OPCEnum to run under. This is probably one of the MOST important settings for OPCEnum in some cases.



Your configuration will most likely show the "System Account" being used. If that is the case thenthis is good news. It also means that OPCENUM is running as a Windows Service.

OPCEnum Properties: Endpoints Tab - No changes required on this tab.

You may now move on to configuring the OPC Client Computer DCOM settings.

Warning: contents of this tutorial are Copyright Software Toolbox, Inc. 2001-2002, and may not be reproduced in electronicor written form without written permission of Software Toolbox Inc. Anyone found copying copyrighted material from this sitefor use on another site wil l be prosecuted. You are welcome to link to this site from your site. The information in this articleis accurate to the best of our professional judgement at the time of writing but is subject to change.






DCOM Configuration Tutorial for Windows XP & 2003 Editions

This section is intended to provide general guidance on configuring DCOM settings for Windows XPand 2003 Operating Systems, which do differ slightly from Windows NT and 2000 OperatingSystems.

This article will simply outline the steps to configure DCOM. If you would like to know andunderstand the reasons WHY some of these settings are so, then please read:

NT/2000 User Security Permissions/ConsiderationsSpecial considerations in multiple domain settings.

We will configure DCOM in 3 steps:

1. Configuring the general/default settings2. Configuring the settings for OPCENUM3. Configuring the settings for your OPC Server

Starting DCOM Configuration

The DCOM Configuration utility does not have an associated icon in either the Windows ControlPanel, nor the Windows START button.. so you have to start it manually:

1. Click on the Windows START button2. Click on the RUN option3. Type "DCOMCNFG" (without the quotes) and press ENTER. (case does not matter)

This will load the Windows "Component Services", which is shown below:

04/06/2010 DCOM_XP

opcactivex.com/…/dcom_xp.html 1/2

Next > Configuring Default DCOM Settings




04/06/2010 DCOM_XP

opcactivex.com/…/dcom_xp.html 2/2

Step 1 - Configuring Default DCOM Security Options for Windows XP & 2003 OperatingSystems

The following screen is opened by:

Right-clicking on the "My Computer" node in the "Component Services" screen.Choosing "Properties" from the menu.

Then click the "Default COM Security" Tab.

04/06/2010 DCOM_DefaultXP

opcactivex.com/…/dcom_defaultxp.html 1/3

This particular screen is not 100% identical to that of Windows NT, 2000 as there are moreoptions in some areas, and fewer options in others... Once in this Properties screen, do clickon the "Default Properties" tab first.The options available in this screen should be configured as:

The Enable Distributed COM on this computer MUST be checked.The Default Authentication Level should be set to None.The Default Impersonation Level should be set to Identity

The next step is to click on the "Default COM Security" tab, which is shown below:There are only 2 buttons in this screen, whereas there are 3 in Windows NT and 2000Operating Systems.Click on the "Edit Default" button within the "Access Permissions " area and makesure that the following accounts exist with the "Allow Access" permissions:

EveryoneInteractiveSystemNetworkIWAM_ *IUSR_ *GuestsAnonymous

Once that is complete, do the same with the "Edit Default" button in the " LaunchPermissions" section and give the right "Allow Launch" to the same accounts asmentioned in the bullet-points above.



Make the same settings under both "Edit Limits" buttons.Now click the OK button to save and close the window.

* If you plan to use IIS (Internet Information Services) as an OPC Client, then its login context shouldbe added to the list of trusted accounts as shown above.

Next > Configuring OPCENUM






Step 2 - Configuring DCOM Security Options for OPCENUM for Windows XP & 2003Operating Systems

The next step is to locate OPCEnum in the list of COM components. Simply click on, or expand the"DCOM Config" section to show the objects available to configure:

Locate OPCEnum, and then open it's properties by simply right-clicking on it, and choosing"Properties" from the menu.

General Tab

The General Tab has only one option, and that is the "Authentication level".

04/06/2010 OPC_EnumXP

opcactivex.com/…/opc_enumxp.html 1/5

For each of use, you can select "None" as your option.

Location Tab

OPCEnum is a program that scans your registry for a list of OPC Servers on your computer.



OPCEnum needs to run on the computer where it resides.. therefore the option of choice here is tocheck "Run application on this computer".

Security Tab

There are 3 options in the Security tab that need to be set.

Launch Permissions:Select the option "Use Default".

Access Permissions:Select the option "Use Default".

Configuration Permissions:Select the option "Customize ", and then click the "Edit" button.



A window will open allowing to specify the accounts that do/don't have configuration permissions,simply add the same:

NetworkInteractiveSystemEveryoneGuestsAnonymousIUSR_ *IWAM_ *

Ensure that all of the accounts above receive "Full Control" rights.

* If you are using IIS (Internet Information Services) as an OPC Client.

Identity Tab

Use either the Interactive or System account.

Click OK to save and close the OPCENUM options window.

Next Step > Configuring OPC Server




P: 1-888-665-3678 (US-Sales) or 704-849-2773 (Support & International), F: 704-849-6388 148A East Charles Street, Matthews, North Carolina, USA 28105




Step 4 - Configuring DCOM Security Options for the OPC Server, for Windows XP & 2003Operating Systems

This step should only be followed if your computer has an OPC Server on it that you wish to allowOPC Clients to connect to.

At the "Component Services" window, click on or expand the "DCOM Config" node and locate yourOPC Server from the list.

When you have found your OPC Server in this list, simply right-click on it and open it's properties.Then follow the same steps as those listed for configuring OPCENUM.

Last Step > Configuring Local Security Policies




04/06/2010 OPCServerXP

opcactivex.com/…/opcserverxp.html 1/1

Configuring Policy Settings To Allow Windows XP SP2 andWindows Server 2003 Interoperability

Overview

When making OPC connections from XP SP2 to Windows Server 2003 there are some additionalsettings that should be checked. This is important when the two computers are not under the samedomain when logged in.

Updates to both XP SP2 and Windows Server 2003 have made changes to the local Policy settingsand it is entirely possible that these updates have restricted systems that we otherwise onceworking.

This document assumes that all DCOM security settings are configured in accordance with ourrecommendations.

Local Security Settings

The settings outlined in this document must be checked on both the OPC Server and OPC Clientcomputer(s).

The Local Security Settings can be found:

START > Control Panel > Administrative Tools > Local Security Settings

The Local Security Settings window is shown below:

Expand the Local Policies folder and go the Security Options (shown in gray).

DCOM Policies

04/06/2010 XP to 2003 Policies

opcactivex.com/…/xp_to_2003_policie… 1/3

Locate the following options:

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)syntaxDCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)syntax

Both of these options should be set to "NOT DEFINED". If either of these are defined, then you will need to work with an IT professional or networkadministrator who has the necessary rights to be able to access and modify these policies.

Network Access - Everyone Permissions

We need to to let Everyone permissions also apply to anonymous users. Locate the followingoptions:

Network access: Let Everyone permissions apply to anonymous users

These settings default to "disabled". We recommend enabling these options by right-clicking onthem and changing the setting as shown below:

Click the OK button to save the setting and close the window.

Network Access - Sharing and Security Model

We need to configure the sharing and security model for local accounts. Locate the followingoptions:

Network access: Sharing and security model for local accounts

This setting now has a default value of "Guest only" which can prevent OPC connections. Right clickon this policy and open its Properties:



Change the setting to "Classic" as shown above, then click OK to save and close the window.

Summary

These changes are required for OPC Connections between Windows XP SP2 and Windows Server2003 computers when communicating in a workgroup.






Documents

Windows XP Service Pack 2 (SP2) Support Advisory Center...Windows XP Service Pack 2 (SP2) Support Advisory Center DCOM for XP SP2 Setup Tutorial - Step 1 Windows Firewall Settings