Citect and Microsoft Windows XP Service Pack 2



Similar documents
F O U N D A T I O N. Using OPC via DCOM with Microsoft Windows XP Service Pack 2. Karl-Heinz Deiretsbacher, Siemens AG

AN-022 Protégé Client / Server DCOM Configuration Windows XP SP2

InduSoft Web Studio + Windows XP SP2. Introduction. Initial Considerations. Affected Features. Configuring the Windows Firewall

DCOM Configuration for Windows NT4, Windows 2000, Windows XP, and Windows XP Service Pack 2

SCADA SYSTEMS AND SECURITY WHITEPAPER

DCOM Setup. User Manual

Setting up DCOM for Windows XP. Research

OPC and DCOM: 5 things you need to know Author: Randy Kondor, B.Sc. in Computer Engineering

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

Microsoft Windows DCOM Configuration. Windows XP SP3 and Server 2003 SP2 Configuration Guide

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

DCOM & Control List Genetec Information Systems Page i Win2003 Service Pack 1

Latitude NVMS Windows XP SP2 Configuration

DCOM settings for computer-to-computer communication between OPC servers and OPC clients

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Technical Brief for Windows Home Server Remote Access

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Windows XP Service Pack 2 Issues

Cyberlogic Control Panel Help Control Panel Utility for Cyberlogic Software

Enabling Remote Management of SQL Server Integration Services

Yale Software Library

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

OPC Server Machine Configuration

Troubleshooting Guide

Web Client User Guide

SOFTWARE MANUAL UNIOPC

Application Note 8: TrendView Recorders DCOM Settings and Firewall Plus DCOM Settings for Trendview Historian Server

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Microsoft Windows XP SP2 and windream

How to Secure a Groove Manager Web Site

windream with Firewall

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Integrate Astaro Security Gateway

PANO MANAGER CONNECTOR FOR SCVMM& HYPER-V

About This Guide Signature Manager Outlook Edition Overview... 5

Project management - integrated into Outlook

Charter Business Desktop Security Administrator's Guide

Agilent System Protocol Test Release Note

Installing Microsoft Exchange Integration for LifeSize Control

Dell Statistica Statistica Enterprise Installation Instructions

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

L EXMARK B USINESS P RODUCTS. Workarounds and Fixes for Windows XP SP2 W H. Version 1.3

2X Cloud Portal v10.5

File and Printer Sharing with Microsoft Windows

2X SecureRemoteDesktop. Version 1.1

Configuring Your Firewall for Client Access in Professional Edition

How to Configure Windows Firewall on a Single Computer

Topaz Installation Sheet

Burst Technology bt-loganalyzer SE

Integrating Juniper Netscreen (ScreenOS)

Deploying the Workspace Application for Microsoft SharePoint Online

White Paper. Software version: 5.0

Omniquad Exchange Archiving

SMS Database System Quick Start. [Version 1.0.3]

TELSTRA BUSINESS MAIL QUICK REFERENCE GUIDE

Moxa Device Manager 2.3 User s Manual

SQL Server 2008 R2 Express Installation for Windows 7 Professional, Vista Business Edition and XP Professional.

formerly Help Desk Authority Upgrade Guide

Virgil and the Windows XP Service Pack 2 Firewall FAB Software Limited September 2004

Experion HS Supplementary Installation Tasks Guide

LifeCyclePlus Version 1

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Integrate Check Point Firewall

DCOM Configuration for KEPServerEX

Agent Configuration Guide

Vijeo Citect Architecture and Redundancy Study Guide

Hyper-V Server 2008 Setup and Configuration Tool Guide

For Active Directory Installation Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Project management integrated into Outlook

Introduction to Hyper-V High- Availability with Failover Clustering

Office Language Interface Pack for Farsi (Persian) Content

Windows Azure Pack Installation and Initial Configuration

SecuraLive ULTIMATE SECURITY

XStream Remote Control: Configuring DCOM Connectivity

Abila Nonprofit Online. Connection Guide

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Pipeliner CRM Phaenomena Guide Importing Leads & Opportunities Pipelinersales Inc.

Aspera Connect User Guide

Windows XP Exchange Client Installation Instructions

How To Install Outlook Addin On A 32 Bit Computer

TFTP Firmware upgrade

WINDOWS 7 & HOMEGROUP

Integrate Cisco IronPort Web Security Appliance (WSA)

DameWare Server. Administrator Guide

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

CRM Form to Web. Internet Lead Capture. Web Form Configuration Instructions VERSION 1.0 DATE PREPARED: 1/1/2013

Introduction VITAL SIGNS FROM SAVISION / FAQS Savision B.V. savision.com All rights reserved.

Installation & Upgrade Guide. Hand-Held Configuration Devices Mobility DHH820-DMS. Mobility DHH820-DMS Device Management System Software

Checking System Requirements. How-To Guide

Transcription:

Citect and Microsoft Windows XP Service Pack 2 Citect and Windows XP Spk 2 White Paper Page 1

About Citect Citect Pty Ltd is a worldwide leader in industrial automation and information management. Its CitectHMI/SCADA and Plant2Business software are complemented by professional services, customer support and training. These solutions are enhanced by strong partner programs and are sold in numerous industries, including water and waste water, facilities monitoring, gas pipelines, mining, dairy, food processing, pharmaceuticals, and power distribution. Citect is headquartered in Sydney Australia, has offices in Australia, USA, Europe, China and Africa, and its products are distributed in more than 40 countries worldwide. For further information, visit http://www.citect.com/ 2004 Citect Pty Ltd. All rights reserved. The information contained in this document represents the current view of Citect on the issues discussed as of the date of publication. Because Citect must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Citect, and Citect cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. CITECT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Citect Pty Ltd. Citect may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Citect, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Citect, CitectSCADA, CitectHMI, Plant2Business and Plant2Net are either registered trademarks or trademarks of Citect Group Corporation in Australia and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Citect and Windows XP Spk 2 White Paper Page 2

Contents About Citect... 2 Contents...3 1 Introduction... 4 2 Windows XP Service Pack 2... 4 2.1 Network Protection... 4 2.2 Memory Protection... 4 2.3 E-mail Protection... 4 2.4 Safer Browsing... 5 3 The Windows Firewall... 5 3.1 Disabling the Windows Firewall... 5 3.2 Modifying the Firewall Settings... 5 3.3 Methods of Allowing Access... 7 3.3.1 The Program Method... 7 3.3.2 The Port Method... 8 3.3.3 Scope... 9 4 Implications for Citect Products... 10 5 CitectHMI/SCADA... 10 5.1 Windows Firewall Settings... 10 6 Plant2Business... 11 6.1 Windows Firewall Settings... 11 6.2 Plant2Business Security Settings... 11 7 OPC Servers and Clients... 12 7.1 Windows Firewall Settings... 12 7.2 DCOM Settings... 12 Citect and Windows XP Spk 2 White Paper Page 3

1 Introduction This document describes Windows XP Service Pack 2 and its implications for Citect and OPC products, and offers recommendations on configuration settings to allow CitectHMI/SCADA, Plant2Business and OPC servers and clients to operate normally when running under Windows XP Service Pack 2. 2 Windows XP Service Pack 2 The major goal of Windows XP Service Pack 2 is to reduce common openings for attack of the Windows operating system. Windows XP Service Pack 2 reduces the most common attack vectors in four ways: better shields the network enhances protection of memory handles e-mail more safely browses the Internet more securely 2.1 Network Protection Network protection is the largest area of improvement in Windows XP Service Pack 2, and the one with the most implications for existing software. Windows Firewall is now enabled for all network interfaces by default, the Remote Procedure Call (RPC) service has been made less vulnerable to outside attack and the Distributed Component Object Model (DCOM) infrastructure has additional access control restrictions to reduce the risk of a successful network attack. 2.2 Memory Protection On CPUs that support execution protection (NX) technology, Windows XP Service Pack 2 marks data pages non-executable. This feature of the underlying hardware prevents execution of code from pages marked in this way. In addition to supporting NX, Service Pack 2 implements sandboxing. All binaries in the system have been recompiled with buffer security checks enabled to allow the runtime libraries to catch most stack buffer overruns, and "cookies" have been added to the heap to allow the runtime libraries to catch most heap buffer overruns. 2.3 E-mail Protection In SP2, a new version of Outlook Express can block images and other external content in HTML email, warn about other applications trying to send mail, and control the saving and opening of attachments that could potentially be a virus. Outlook Express also coordinates with the new application execution service, to better protect the system from the execution of harmful attachments. Users also have the option to read or preview all messages in plain text mode, which can avoid potentially unsafe HTML. Windows Messenger and MSN Messenger share the improvements to attachment control made for Outlook Express. Citect and Windows XP Spk 2 White Paper Page 4

2.4 Safer Browsing Internet Explorer (IE) has been made much more secure in Service Pack 2. It now manages add-ons and detects crashes due to add-ons, controls whether or not binary behaviors are allowed to run, and applies the same safety restrictions to all URL objects that previously applied only to ActiveX controls. It has more control over the execution of all content. IE now disallows access to cached scriptable objects: HTML pages can only script their own objects. IE now has a built-in facility to block unwanted pop-up windows, and manage the viewing of desired pop-up windows. 3 The Windows Firewall It may be appropriate to permanently turn off the Windows Firewall if the machines running Citect or OPC products are sufficiently protected behind a corporate firewall. When turned off, the individual firewall settings outlined in the following sections need not be performed to allow Citect products to operate normally when running under Windows XP Service Pack 2. 3.1 Disabling the Windows Firewall The Windows Firewall is on by default. If it is considered appropriate to permanently disable the firewall use the following procedure: 1. Launch the Firewall Manager from the Windows Control Panel. 2. Select the OFF radio button. 3. Click OK. 3.2 Modifying the Firewall Settings If you choose to use the Windows Firewall then you will need to modify the settings before using network resources. If you do use network resources before doing so you may be presented with a dialog requesting you to make a decision. It will ask you if you want to Keep Blocking, Unblock or Ask Me Later. Selecting Unblock or Keep Blocking will create a rule in the firewall settings. You can always delete or modify this at any time through the firewall manager in the Windows Control Panel. The Windows Firewall Configuration Manager can be found in the Windows Control Panel. Locating it depends on how you have your system configured. If your Windows Control Panel is in Category View you will see the option Security Center and you can double click to open. Locate the option for Windows Firewall and double click to open. If your Windows Control Panel is in Classic View you can open Firewall direct by double clicking the icon. At this stage the firewall should be enabled On (recommended) selected with Don t allow exceptions unchecked. Citect and Windows XP Spk 2 White Paper Page 5

To make changes to what is allowed to traffic your network you should select the Exceptions tab. Citect and Windows XP Spk 2 White Paper Page 6

3.3 Methods of Allowing Access There are two basic methods of allowing access to your machine through Windows Firewall. They are the Program method and the Port method. The program method is the safest option but some administrators will require the port method to be used. In some cases it is only possible to use the port method. 3.3.1 The Program Method The advantage of using the application name is that it limits the scope on that PC to that application only. If another application tries to make a connection on the same ports the user will be notified as if no rule exists and be requested to take action on that application. It does not, however, stop another application being renamed to Citect32.exe (the Citect Runtime) in the same location from maliciously opening ports. In fact this could open any port, not just the ports actually used by Citect products, as adding a program allows that program to open any port. If this is a concern then it may be necessary to secure the executable to prevent it being changed or overwritten. To add an application use the following procedure: 1. Launch the Firewall Manager from the Windows Control Panel. 2. Click on the Exceptions tab. 3. Select Add Program from the button selection. 4. Add the required program from the list. If the program does not exist in the list then you will have to navigate to it from the Browse button. Citect and Windows XP Spk 2 White Paper Page 7

If you have installed IDC as well as the standard full display CitectHMI/SCADA then you will see two Citect Runtimes in the list on the firewall manager main dialog. Note the capitalisation in the name along with the install path so that you are aware of the one you need to select. This will be the same when adding or editing a program. 3.3.2 The Port Method Some administrators prefer to open specific ports for that PC rather than whole programs. The difference is that any application on that PC will be able to listen on that particular port. To add a port use the following procedure: 1. Launch the Firewall manager from the Windows Control Panel. Citect and Windows XP Spk 2 White Paper Page 8

2. Click on the Exceptions tab. 3. Select Add Port from the button selection. 4. Enter a name (e.g. Citect Trend Server) and port number. 5. Select the type of traffic you will allow on this port - TCP for connection based applications like CitectHMI/SCADA, or UDP for datagram based communications. 3.3.3 Scope When adding programs, opening ports or editing a rule in the Windows Firewall you will notice that there is a scope button called Change Scope. The scope allows you to further lock down the system by only permitting certain machines or ranges of machines to use the added program or opened port. For more information on scope see the Microsoft XP Service Pack 2 documentation. Citect and Windows XP Spk 2 White Paper Page 9

4 Implications for Citect Products The network protection enhancements in Windows XP Service Pack 2 have implications for the following Citect and third party products: CitectHMI/SCADA Plant2Business OPC Servers and Clients (including CitectHMI/SCADA as an OPC server or client) The specific enhancements which affect these products are the new default settings for the Windows Firewall (all products) and DCOM enhancements (Plant2Business and OPC Servers and Clients). 5 CitectHMI/SCADA 5.1 Windows Firewall Settings Role Program Checked Port(s) NetBIOS Server N/A N/A UDP 137,138 TCP 139 NetBIOS Client Citect32.exe No TCP 2073, 2074 TCP/IP Report Server Citect32.exe Yes TCP 2075 TCP/IP Alarm Server Citect32.exe Yes TCP 2076 TCP/IP Trend Server Citect32.exe Yes TCP 2077 TCP/IP I/O Server Citect32.exe Yes TCP 2078 TCP/IP Time Server Citect32.exe Yes TCP 2081 (v6.0 or later) TCP/IP Client Citect32.exe No TCP 2073, 2074 IDC Server Citect32.exe Yes TCP 2079 FTP Server Ftpsvr.exe Yes TCP 21 Internet Display Client Citect32.exe No TCP 2073, 2074 CTAPI Server Citect32.exe Yes TCP 2073 Web Server (v6.0 or later) N/A N/A TCP 80 Web Client (v6.0 or later) Cicode Remote Debugging Internet Explorer No TCP 2073, 2074 Citect32.exe Yes TCP 2074 Server Heartbeat 1 Citect32.exe Yes TCP 2080 1. This change is only required on a machine acting as a CitectHMI/SCADA Trend, Alarm, Report, IO or Time Server where customers are using the TCP/IP server status heartbeat. This heartbeat is a not a default operation in CitectHMI/SCADA and is used by few customers. To check if you are using it, refer to your Citect.ini parameter [LAN]ServerHeartbeat=1. If this parameter does not exist then you are not using this functionality. Citect and Windows XP Spk 2 White Paper Page 10

6 Plant2Business 6.1 Windows Firewall Settings Role Program Checked Port(s) Plant2Business N/A N/A TCP 135 Plant2Net N/A N/A TCP 80 6.2 Plant2Business Security Settings Citect Plant2Business may also require these security modifications: Open Component Services. Expand to Computers My Computer Com+ Applications Plant2Business Portal. Open the Properties of the Plant2Business Portal and select the Security tab. Check that the Enforce access checks for this application check box is unchecked. Repeat these steps for Plant2Business Server Data Access. Citect and Windows XP Spk 2 White Paper Page 11

7 OPC Servers and Clients 7.1 Windows Firewall Settings Role Program Checked Port(s) OPC Server Your OPC Server Name Yes TCP 135 Citect as an OPC Client Citect32.exe Yes TCP 135 7.2 DCOM Settings DCOM has been enhanced and may need modifications to its security settings. You must modify DCOM Launch and Access permissions. For each user you add in these permissions, it is now possible to further limit them to local and remote access. Launch Permission is for the users who are able to start an OPC Server. Access Permission is for those users who may use the server once it is running. To configure DCOM use the following procedure: 1. Launch Administrative Tools from the Windows Control Panel. 2. Double click on the Component Services icon (alternatively you can open the Windows Run dialog by going to the Start button and selecting Run and typing dcomcnfg). 3. Expand Component Services. 4. Click on the + under Computers. 5. Right click My Computer and select Properties. 6. Select the COM Security tab. Citect and Windows XP Spk 2 White Paper Page 12

7. In the Access Permissions section choose Edit Limits. 8. Check the Remote Access box for ANONYMOUS LOGON. 9. In the Launch and Activation Permissions choose Edit Limits. Citect and Windows XP Spk 2 White Paper Page 13

10. Check the Remote Launch box for the user labelled Everyone (or another user group of your choice if you wish to more strictly limit the users who can remote launch an application). 11. Edit the default for both Access Permissions and Launch and Activation Permissions. 12. Ensure that both Local Access and Remote Access have had the Allow box checked for the groups you wish to give access. Citect and Windows XP Spk 2 White Paper Page 14

For further information on Citect products and services, visit http://www.citect.com Citect and Windows XP Spk 2 White Paper Page 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information