ee | eS ee | | | ee | | 5 Steps for DCOM Configuration ors TRAINING INSTITUTE LEVEL 1: OPC & DCOM Diagnostics 149TonembyjueD WODG 40) Sdais g TRAINING SLIDE 247 Lesson Overview 41. Remove Windows Security 2. Setup mutual User Account recognition 3. Configure System-Wide DCOM settings 4. Configure Server Specific DCOM settings 5. Restore Windows Security e Slides feature = Insight = Common Pitfalls 1. Remove Windows Security ¢ Before establishing DCOM communication a. Disable Windows Firewall b. Disable Data Execution Prevention (DEP) e After establishing DCOM communication a. Enable Windows Firewall b. Enable Data Execution Prevention (DEP) 450 LEVEL 1: OPC & DCOM Diagnostics1a. Disable Windows Firewall ¢ A firewall is a system that secures a network, shielding it from access by unauthorized users ¢ By default, the Windows Firewall - Is turned on ~ Allows traffic across the network when the traffic is initiated locally, but stops most incoming unsolicited traffic ° Administrators can specify exceptions e Beginners ~ Turn firewall off completely - Turn back on upon completion 1a. Turn Firewall Off ¢ Start > Control Panel > Windows Firewall LEVEL 1: OPC & DCOM Diagnostics 151 8 Sterne for DOOM Canflanratianwoneinbyuog Wood 10; scores Notes: 152 . Technology thi 1b. Data Execution Prevention (DEP) at perform additional checks on memory to help Prevent malicious code from running ona system | © Primary benefit: help prevent code execution | from data Pages ~ Hardware-enfi execution occ Code from taki mechanisms i SLIDE 251 orced DEP detects code that is running | from these locations and raises an exception when urs ~ Software-enforced DEP can help prevent malicious ing advantage of €xception-handling in Windows 1b. Data Execution Prevention (DEP) | © Hardware DEp ~ The no-execute Page-protection (NX) processor feature as defined by AMD } ~ The Execute Disable Bit (XD) feature as defined by Intel | © Windows enables DEP even hardware DEP is not available | © DEP might sto software ° Affects: XP Sp; Server 2003 LEVEL 1: OPC & DCOM Diagnostics P execution of legitimate 2, XP Tablet PC Edition 2005, and rTTRAINING INSTITUTE ‘SLIDE 252 1b. Disable DEP SLIDE 253 2. Setup mutual User Account Recogni a. Synchronize User Accounts b. Modify User Authentication Notes: LEVEL 1: OPC &DCOM Diagnostics 153SLIDE 254 2a. Synchronize User Accounts « Add User Accounts to all affected computers « Must have a User Name and Password | ¢ Workgroups: Each computer must have list of all User Accounts « Single Domain: Domain controller synchronizes User Accounts ¢ Multiple Domains: - Establish a Trust between the Domains... or - Add local User Accounts SLIDE 255 | 2b. Modify User Authentication ¢ By default, Windows XP forces remote users to authenticate as “Guest” (when using Workgroups) |e Can create OPC problems ~ No User Account granularity - Guest enables everyone to access everything e Two options: = Turn off “Simple File Sharing’... or - Modify “Network Access: Sharing and security Model for local accounts” = Notes: woHeINBJUOD WODG 40) sdais ¢ 154 LEVEL 1: OPC & DCOM DiagnosticsSUIDE [ 256 2b. Turning off Simple File Sharing © Double-click “My Computer” on the desktop gaa * On the Tools menu, click Folder Options | © Click the View tab, and then clear the "Use Simple File Sharing (Recommended)" check box to turn off Simple File Sharing SLIDE 257 2b. Modify Network Access e Start > Control Panel > Administrative Tools > Local Security Policy (secpol.msc) Notes: LEVEL 1: OPC & DCOM Diagnostics 155TRAINING, ‘SLIDE 258 3. Configure System-Wide DCOM settings e Click on the Windows Start button, and select the Run menu option e Inthe Run dialog box, type "DCOMCNFG* ¢ Click the OK button SLIDE 259 Configure System-Wide DCOM settings © Right click on “My Computer” to select Properties @ z g 8 8 = 9 g 156 LEVEL 1: OPC & DCOM Diagnostics‘SLIDE 7 260 | Default Properties Check (m: See This option is changed) Authenticatio spon fist connection grant the Server : SLIDE 261 Authentication tovele * None: Performs no auther * Connect: Authenticates only when the Client establishes a relationship with the Server. Datagram transports always use packet authentication (RPC_C_AUTHN_LEVEL_CONNECT) instead * Call: Authenticates only at the beginning of each remote procedure call when the Server receives the request. Datagram transports always use packet authentication (RPC_C_AUTHN_LEVEL_PKT) instead + Default: In the current implementation of DCOM this setting always maps to RPC_C_AUTHN_LEVEL_CONNECT * Packet: Authenticates that all data received is from the expected Client * Packet Integrity: Authenticates and verifies that none of the data transferred between the Client and the Server has been | modified | + Packet Privacy: Authenticates all previous levels and encrypts the argument values of each remote procedure call Notes: LEVEL 1: OPC &DCOM Diagnostics 157 fob dt tb od Ww nb nn nn nn nouonesnByu0y WOOK 40} sdais ¢ Notes: 158 SUDE 262 | | Impersonation Level | + Anonymous: Object is not allowed to obtain the identity of the | Galler. This is the safest setting for the Client but the least powerful for the object. | + Identify: Object is only able to detect the security identity of the caller (that is, the user name), but can not impersonate the caller. This calll is still safe for the Client in that the object will not be able to perform operations using the security credentials of the cailer. | However, the Client's user name will be disclosed to the object. + Impersonate: Object can impersonate and perform local operations, but it can not call other objects on behalf of the caller. This mode ‘is potentially unsecure for the caller, since it allows the object to use the Client's security credential to perform arbitrary operations on the machine where the object is running. * Delegate: Object can impersonate the caller and it can perform other method invocations using the security identity of the caller. In this mode, the caller essentially delegates ownership of its security identity to the object so that the object can perform arbitrary (including remote) operations using the caller's security identity. SLIDE 263 Default Protocols ¢ TCP/IP is the most commonly used transport protocol with DCOM © Configure all machines to use only TCP/IP * Remove other protocols | © This will reduce | connection timeouts | | | | SS a LEVEL 1: OPC & DCOM DiagnosticsNotes: COM Security List of Users who can use COM ‘applications new COM application ee For each user or group that will participate in OPC communica check the Allow box for both Local Access and Remote Access LEVEL 1: OPC & DCOM Diagnostics 159TRAINING INSTITUTE sue | 266 SLIDE 267 uonesnbyuog WODG 40) sdaig 6 Addivenone and “Anonymous Logon” " a ance! For each user or group that will participate in OPC communicatio ‘check the Allow box for both Local Access and Remote Access For each user or group that will participate in OPC comm: ‘check the Allow box for both Local Access and Remote Access 160 LEVEL 1: OPC & DCOM Diagnostics‘SLIDE 268 | For each user or group that will participate in OPC communication | ‘check the Allow box for both Local | Access and Remote Access ‘SLIDE 7 269 4. Configure Server Specific DCOM settings Start > Run Gconcnre> Notes: LEVEL 1: OPC & DCOM Diagnostics 161TRAINING INSTITUTE SLIDE 270 SLIDE Notes: uopesnByuod WODG 495 sdais ¢ Server Properties: General 162 LEVEL 1: OPC & DCOM DiagnosticsSLIDE 273 Notes: Server Properties: Security aa LEVEL 1: OPC & DCOM Diagnostics 163OPCTI recommends: “The system Account (services only)” 275 The Interactive User ¢ The user that is logged on to the local console (user who is physically at the computer) ¢ With Terminal Services - User who is logged on to the local console - User who is connected to the computer through a remote Terminal Server Client * Common Problem: Someone must be logged on or Server will not start © OPCTI does not recommend this option... unless vendor explicitly specifies it SLIDE - | | | Notes: uonesnByuos WOOD 40) sdaig ¢ 164 LEVEL 1: OPC & DCOM Diagnosticsee eT En ddd ors TRAINING INSTITUTE SLIDE 276 Server Identity: The Launching User « User that Launched the Server e Operating System attempts to start a new instance for each Launching user!!! * Common Problems - Class 1:Second Launching User is unable to connect - Class * Multiple instances of the Server running when multiple users connect * May compromise PC or even control network performance © OPCTI does not recommend this option... unless vendor explicitly specifies it Server Identity: This User | | | e Server will run as a specific user | ¢ More common with DCS | — ABB 800xA | ~ Emerson Deltav | — Honeywell Experion | - Honeywell TDC3000 (App Node) | - Yokogawa CS3000 (ExaOPC) « Common problem: Data Subscriptions | (Callbacks) might fail | © OPCTI does not recommend this option... unless vendor explicitly specifies it LEVEL 1: OPC & DCOM Diagnostics 165SLIDE 278 SLIDE 279 Notes: wonesnByuo9 WODG 40 sdais g Server Identity: System Account * Only used by Servers that can execute as a Windows Service; disabled otherwise ¢ Server must execute as a service - Unattended execution - Starts after boot - No Interactive user required (no one logged on) - Server runs as SYSTEM account - Only one instance will run © OPCTI recommends this option... unless vendor explicitly specifies a different setting 5. Restore Windows Security a. Restore Windows Firewall b. Configure User/Group Permissions c. Configure Data Execution Prevention 166 LEVEL 1: OPC & DCOM DiagnosticsTRAINING INSTITUTE SLIDE 280 5a. Restore Windows Firewall * Reconfigure firewall to block unwanted traffic ° Firewall exceptions two main levels - Application level: specify which applications are able to respond to unsolicited requests. ~ Port-and-protocol level: specify that the firewall should allow or disallow traffic on a specific port for | either TCP or UDP traffic. ° OPC requires changes on both to enable DCOM to work properly SLIDE 281 5a. Turn Firewall On ¢ Start > Control Panel > Windows Firewall LEVEL 1: OPC &DCOM Diagnostics 167TRAINING INSTITUTE. SLIDE | 282 5b. Configure User/Group Permissions * Recall Step 3 (Configure System-Wide DCOM settings) ~ Everyone received launch/access permissions | ~ This eliminated security ~ Now you must secure the system again * System-wide DCOM settings ~ Take Everyone off the list ~ Add the Users/Groups for whom launch/access should be allowed/denied * Configure Server Specific DCOM settings: Add the Users/Groups for whom launch/access should be allowed/denied | SLIDE 283 5c. Configure DEP uonesnByuod WODd 105 sors § 168 LEVEL 1: OPC & DCOM Diagnostics