AN-022 Protégé Client / Server DCOM Configuration Windows XP SP2



Similar documents
F O U N D A T I O N. Using OPC via DCOM with Microsoft Windows XP Service Pack 2. Karl-Heinz Deiretsbacher, Siemens AG

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

DCOM Setup. User Manual

DCOM Configuration for KEPServerEX

OPC and DCOM: 5 things you need to know Author: Randy Kondor, B.Sc. in Computer Engineering

Citect and Microsoft Windows XP Service Pack 2

Setting up DCOM for Windows XP. Research

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Windows XP Service Pack 2 Issues

DCOM & Control List Genetec Information Systems Page i Win2003 Service Pack 1

DCOM settings for computer-to-computer communication between OPC servers and OPC clients

Application Note 8: TrendView Recorders DCOM Settings and Firewall Plus DCOM Settings for Trendview Historian Server

Troubleshooting Guide

DCOM Configuration for Windows NT4, Windows 2000, Windows XP, and Windows XP Service Pack 2

Yale Software Library

Latitude NVMS Windows XP SP2 Configuration

OPC Server Machine Configuration

TrueEdit Remote Connection Brief

InduSoft Web Studio + Windows XP SP2. Introduction. Initial Considerations. Affected Features. Configuring the Windows Firewall

SOFTWARE MANUAL UNIOPC

Enabling Remote Management of SQL Server Integration Services

XStream Remote Control: Configuring DCOM Connectivity

Microsoft Windows DCOM Configuration. Windows XP SP3 and Server 2003 SP2 Configuration Guide

1. CONFIGURING REMOTE ACCESS TO SQL SERVER EXPRESS

windream with Firewall

TECHNICAL SUPPORT GUIDE

Toolbox 3.3 Client-Server Configuration. Quick configuration guide. User manual. For the latest news. and the most up-todate.

Agilent System Protocol Test Release Note

OPC Unified Architecture - Connectivity Guide

Microsoft Windows XP SP2 and windream

Configuring Your Firewall for Client Access in Professional Edition

Non-ThinManager Components

Universal Management Service 2015

Creating client-server setup with multiple clients

How to Configure Windows Firewall on a Single Computer

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

How To Run Eve 5 On A Pc Or Mac Or Ipad (For Pc Or Ipa) On A Network (For Mac) On Your Computer Or Ipro (For Ipro) On An Ipro Or Ipo (For Windows)

Manually Add Programs to Your Firewall or Anti-Virus Programs Trusted List. ZoneAlarm

Installation Guide for Microsoft SQL Server 2008 R2 Express. October 2011 (GUIDE 1)

safend a w a v e s y s t e m s c o m p a n y

Immotec Systems, Inc. SQL Server 2005 Installation Document

Configuring Windows Firewall for Remote Connection in Windows XP SP2:

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Installation & Upgrade Guide. Hand-Held Configuration Devices Mobility DHH820-DMS. Mobility DHH820-DMS Device Management System Software

Setup and Configuration Guide for Pathways Mobile Estimating

NSi Mobile Installation Guide. Version 6.2

How to set up popular firewalls to work with Web CEO

This document describes the installation of the Web Server for Bosch Recording Station 8.10.

E-Notebook SQL 12.0 Desktop Database Installation Guide. E-Notebook SQL 12.0 Desktop Database Installation Guide

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

Pearl Echo Installation Checklist

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

NETWRIX PASSWORD MANAGER

NStar Build 648. Release Notes. Page 1 of 17

Virgil and the Windows XP Service Pack 2 Firewall FAB Software Limited September 2004

E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide. E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

TechNote. Contents. Overview. System or Network Requirements. Deployment Considerations

QUANTIFY INSTALLATION GUIDE

BioWin Network Installation

For Active Directory Installation Guide

Defender EAP Agent Installation and Configuration Guide

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Installing Policy Patrol on a separate machine

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

523 Non-ThinManager Components

Nagios XI Monitoring Windows Using WMI

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Kaspersky Lab Mobile Device Management Deployment Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

WirelessOffice Administrator LDAP/Active Directory Support

Installation Manual (MSI Version)

Distributing SMS v2.0

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

OPC & DCOM Troubleshooting: Quick Start Guide. Author: Randy Kondor, B.Sc. in Computer Engineering January 2008

Installation and Connection Guide to the simulation environment GLOBAL VISION

ilaw Installation Procedure

Burst Technology bt-loganalyzer SE

Promap V4 ActiveX MSI File

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

2X ApplicationServer & LoadBalancer Manual

Interworks. Interworks Cloud Platform Installation Guide

To install the SMTP service:

TecLocal 4.0 MultiUser Database

2X ApplicationServer & LoadBalancer Manual

PrintFleet Local Beacon

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual

NETWRIX ACCOUNT LOCKOUT EXAMINER

Migrating MSDE to Microsoft SQL 2008 R2 Express

Network/Floating License Installation Instructions

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Receptionist-Small Business Administrator guide

Installation Troubleshooting Guide

MTA Course: Windows Operating System Fundamentals Topic: Understand backup and recovery methods File name: 10753_WindowsOS_SA_6.

Transcription:

AN-022 Protégé Client / Server DCOM Configuration Windows XP SP2

PUBLICATION INFORMATION This application note covers the use of the protégé system to perform a specific function and may be used in conjunction with other publications. Specifications may change without notice, for updates visit the Integrated Control Technology website at www.integratedcontroltechnology.com. No other hardware was used to prepare this application note and will not affect the result of the application using the programming information presented.

CONTENTS Contents... 1 Protégé system... 2 Introduction... 2 Application Note Information... 2 Disclaimer... 2 Abstract... 3 Overview... 3 Windows Firewall... 4 Overview... 4 Firewall Configuration... 4 DCOM Configuration... 7 Overview... 7 Configuring DCOM... 7 Configuring DCOM Machine Default... 7 Configuring DCOM Only For The Protégé System... 9 References... 10 Microsoft... 10 Information... 11 Introduction... 11 Contact... 11 AN-022 Protégé DCOM Configuration 1

PROTÉGÉ SYSTEM Introduction The Protégé System is a powerful integrated alarm and access control management system designed to provide integration with building automation, apartment complex control and HVAC in one flexible package. Communicating through a proprietary high speed protocol across an encrypted RS-485 network using modular-based hardware design, system installers have the flexibility to accommodate any installation from small or large, residential or commercial. Application Note Information This application note describes the configuration of Protégé Server Machines and Client Workstation Machines that operate the Windows XP operating system with Service Pack 2 installed. Disclaimer This application note describes the configuration of the windows operating system and related components based on articles and publications used by the authors of the document. Although the paper is based on best practices as judged by the authors, Integrated Control Technology and the authors assume no responsibility for its accuracy or suitability for application by its readers. Support for the DCOM configuration is not given by Integrated Control Technology, DCOM is part of the security and control within Windows Operating Systems and suitably qualifying MSCP Network Engineers should be used to configure the DCOM security settings for a machine. 2 AN-022 Protégé DCOM Configuration

ABSTRACT Overview The major goal of Windows XP Service Pack 2 is to reduce common available scenarios for malicious attack on Windows XP. The Service Pack will reduce the effect of most common attacks in four ways: 1. Improvement in shielding Windows XP from the network by: a. RPC and DCOM communication enhancements b. Enhancements to the internal Windows firewall 2. Enhanced memory protection 3. Safer handling of e-mail 4. Internet Explorer security enhancements. Protégé System Management Suite Clients and Servers use DCOM to communicate over a network and thus will be impacted due to the changes in Service Pack 2. When Service Pack 2 is installed with its default configuration settings, Protégé System Management Suite communication via DCOM will cease to work. This application note describes the settings necessary to restore Protégé System Management Suite communication when using XP Service Pack 2 (SP2). SP2 includes many changes and security enhancements, two of which directly impact Protégé System Management Suite via DCOM. First new DCOM limit settings have been added. Secondly the software firewall included with XP has been greatly enhanced and is turned on by default. Since the call back mechanism used by Protégé System Management Suite essentially turns the Protégé System Management Suite Client into a DCOM Server and the Protégé System Management Suite Server into a DCOM Client, the instructions provided here must be followed on all machines that contain either Protégé System Management Suite Servers or Protégé System Management Suite Clients. It is important to note that Protégé System Management Suite communication that is confined to a single machine (using COM, but not DCOM) will continue to work properly after installing XP SP2 without following the instructions in this application note. AN-022 Protégé DCOM Configuration 3

WINDOWS FIREWALL Overview The Windows Firewall allows traffic across the network interface when initiated locally, but by default stops any incoming unsolicited traffic. However, this firewall is exception based, meaning that the administrator can specify applications and ports that are exceptions to the rule and can respond to unsolicited requests. The firewall exceptions can be specified at two main levels, the application level and the port and protocol level. The application level is where you specify which applications are able to respond to unsolicited requests and the port and protocol level is where you can specify the firewall to allow or disallow traffic on a specific port for either TCP or UDP traffic. To make any Protégé System Management Suite client/server application work via DCOM, changes need to be made on both levels. Using Protégé System Management Suite via DCOM with Microsoft Windows XP Service Pack 2 you must configure the firewall to allow the appropriate ports and programs access trough the firewall. Firewall Configuration By default the windows firewall is set to On. This setting is recommended by Microsoft and by Integrated Control Technology to give your machine the highest possible protection. For trouble shooting, you may wish to temporarily turn off the firewall to prove or disprove that the firewall configuration is the source of any communication failure. It may be appropriate to permanently turn off the firewall if the machine is sufficiently protected behind a corporate firewall. When turned off, the individual firewall settings outlined here need not be performed to allow Protégé System Management Suite Servers and Clients to communicate. The firewall configuration and settings in this application note cover the windows native firewall and do not cover other third party products (Norton, McAffe and Zone Alarm). To change a third party firewall view the manufacturer documentation or consult the network administrator. The following procedure explains the configuration process for the Windows Firewall. 1. Open the windows firewall configuration settings from the Control Panel. 4 AN-022 Protégé DCOM Configuration

2. Select the Exceptions tab and add the Protégé Server (PTSvr.exe) and the Protégé Client application (PTView.exe) to the exception list. Also add Microsoft Management Console (used by the DCOM configuration utility in the next section). 3. In the Add a Program dialog, there is a listing of most applications on the machine, but note that not all of them show up on this list. Use the Browse button to find the Protégé System Management executables installed on the computer. These are typically located in the Program Files/Integrated Control Technology/Protégé folder. 4. Add TCP port 135 as it is needed to initiate DCOM communications, and allow for incoming echo requests. In the Exceptions tab of the Windows Firewall, click on Add Port. In the Add a Port dialog, fill out the fields as shown the example screen shot below. Name should be DCOM, Port number 135 and select the TCP radio button. AN-022 Protégé DCOM Configuration 5

5. It would also be a good option to restrict the access to this port by the local subnet and/or intranets within the corporation (select the change scope button to perform this action) however this is beyond the scope of this document and will be a decision that is best made by the network or system administrator. 6. As a minimum you should see the DCOM port added in step 4 and the PTSvr and PTView executables that have been added in the first steps as well as the Microsoft Management Console. If the server machine that is operating the Protégé Service also runs the ArmourIP Internet Reporting Server you will need to include this program in the Windows Firewall exceptions program list. 6 AN-022 Protégé DCOM Configuration

DCOM CONFIGURATION Overview Service Pack 2 for Windows XP has also made some security enhancements to DCOM; two in particular need to be taken into consideration when using Protégé System Management Suite on a network: First, the default Launch and Access permissions dialogs have been modified to allow the user to configure limits on the permissions given to applications using DCOM. Secondly, for each user now defined in the Launch and Access permissions, both local and remote access can be explicitly defined. A brief background on default Launch and Access permissions in DCOM: Launch permissions define who can launch a COM based application (such as the Protege server) both over the network or locally. Access permissions define who can access that application once it has been launched. Applications can get their Launch and Access permissions from one of three places: they can use explicitly defined setting for their application, they can use the default permissions or they can set their own permissions programmatically. Because an application could set its own permissions programmatically, the explicitly defined or default settings, although set properly, may not be used and therefore the user is not able to explicitly have control over these settings. To overcome this security flaw, Microsoft has added limits to the DCOM security settings from Launch and Access to limit the permissions that an application can use. This limit prevents the application from using permissions beyond what is specified in the DCOM configuration settings. By default the limits set by Service Pack 2 will not allow for Protégé System Management Suite communication to occur between the server and clients over the network. In addition to the new permissions limits, one must now specify if the user or group specified has permissions locally or remotely (or both). In order for Protégé System Management Suite application to work over the network with DCOM, the permissions must be set such that remote users can launch and/or access the Protégé System Management Suite Servers and Clients on the machines. Configuring DCOM DCOM has settings for the machine default and for each server or application that uses DCOM communication. The machine default settings are used when there are no custom settings for the specific COM server. If a server has custom settings then changes in the default settings have no effect for this server. Configuring DCOM Machine Default Follow these steps to configure the DCOM machine default settings for Protégé System Management Suite Communications using Windows XP Service Pack 2: 1. Go to Start -> Run and type DCOMCnfg and then click on OK. AN-022 Protégé DCOM Configuration 7

2. Click on Component Services under the Console Root to expand it. 3. Click on Computers under Component Services to expand it. 4. Right click on My Computer in the pane on the right and select Properties. 5. Go to the COM Security tab and note these are the four permission configurations that you will have to edit. 6. Edit the Limits for Access and Launch. 7. If you can not configure the limits settings it is more than likely that the group policy security settings are overriding these options in which case you must choose the best method for your network and computer configurations. 8. You need to check the Remote Access box for the user labelled ANONYMOUS LOGIN in this dialog. 9. Launch and Activation Permissions Edit Limits. You need to check the remote boxes for the user labelled Everyone in this dialog. 10. Since Everyone includes all authenticated users, it is often desirable to add these permissions to a smaller subset of users. One suggested way to accomplish this is to create a group named Protege Users and add all user accounts to this group that will execute any Protégé System Management Suite Client or Server. Then substitute Protege Users everywhere that Everyone appears in these configuration dialogs. 11. Edit Default Permissions for Access and Launch for each user (or group) that participates in using the Protégé System Management Suite (e.g. Protégé Users ), make sure that both the Local Allow and Remote Allow checkboxes are both checked. 12. Access Permissions per user should have the Launch and Activation permissions per user set: 8 AN-022 Protégé DCOM Configuration

Configuring DCOM Only For The Protégé System It is not recommended to configure the DCOM security settings ONLY for the Protégé System Management Suite however it may be a requirement in some scenarios. To do this type of configuration you can set the actual DCOM settings that affect only one application. Follow these steps to configure DCOM for the PTSvr application using Windows XP Service Pack 2. 1. Go to Start -> Run and type DCOMCnfg and click on OK. 2. Click on Component Services under the Console Root to expand it. 3. Click on Computers under Component Services to expand it. 4. Right click on My Computer in the pane on the right and select Properties 5. Double Click DCOM Config 6. Select the PTSvr application, right click the selection and then click Properties. 7. In the server property page select the Security tab 8. Edit the server permissions settings. Select Customize and click the Edit button. 9. Edit the Launch/Activation Permissions. For each user (or group) that participates in using the Protégé System Management Suite (e.g. Protégé Users ), make sure that both the Local Allow and Remote Allow checkboxes are both checked. 10. Since Everyone includes all authenticated users, it is often desirable to add these permissions to a smaller subset of users. One suggested way to accomplish this is to create a group named Protege Users and add all user accounts to this group that will execute any Protege Server or Client. Then substitute Protege Users everywhere that Everyone appears in these configuration dialogs. 11. Edit the Access Permissions. For each user (or group) that participates in Protégé System Management Suite Applications (e.g. Protégé Users ), make sure that both the Local Allow and Remote Allow checkboxes are both checked. AN-022 Protégé DCOM Configuration 9

REFERENCES Microsoft MS White paper: Windows XP Service Pack 2 Overview Published: February 2004 For the latest information, please see http://msdn.microsoft.com/security Windows XP Service Pack 2 - Security Information for Developers http://msdn.microsoft.com/security/productinfo/xpsp2/default.aspx Changes to Functionality in Microsoft Windows XP Service Pack 2 http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx 10 AN-022 Protégé DCOM Configuration

INFORMATION Introduction Application notes are provided as is without any implied warranty or intended use and are written by Integrated Control Technology as an aid in programming and connecting devices to the Protégé System. Contact Integrated Control Technology welcomes all feedback. Please visit our website or use the information below. Integrated Control Technology P.O. Box 302-340 Unit C, North Harbour Post Centre 6 Ascension Place Auckland Mairangi Bay New Zealand Auckland New Zealand Phone: +64-9-476-7124 Fax: +64-9-476-7128 www.integratedcontroltchnology.com AN-022 Protégé DCOM Configuration 11

Unit C, 6 Ascension Place, Mairangi Bay, P.O. Box 302-340 North Harbour, Auckland, New Zealand. Phone: +64 (9) 476 7124 Fax: +64 (9) 476 7128 www.integratedcontroltechnology.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information