Establishing Reliable and Secure DCOM Communication
Scenario: You want DCOM working properly and securely.
Reference: For background information, see OPC and DCOM Security.
Workflow diagram:
Prerequisites:
You must consult the IT manager before making any changes to the Windows security settings or policies.
Before trying to establish a reliable and secure DCOM communication, it is necessary to verify the presence and the settings of antivirus software. Antivirus software detects viruses and other malware (trojans, worms, and so on). Antivirus applications protect your computer from unwanted activities. These applications should not catch OPC applications because they are not harming the computer. Therefore, it may be necessary to add OPC clients, OPC servers, and OPCEnum to the exception list so that they will not be accidentally stopped or removed. Also in this case, you must consult the IT Manager.
Please note that what the following procedure is based on a computer running at least Windows XP/SP2 or Windows Server 2003/SP1. Earlier versions of Windows can still take advantage of many (but not all) of these suggestions, but will be considerably more difficult to configure. So if possible, as a first step you should upgrade any OPC host platforms to a newer operating system version.
Steps:
The first step to establish DCOM communication is to disable the Windows Firewall, which is turned on by default.
The Firewall helps protect computers from unauthorized access (usually from viruses, worms, and negligent people or those with malicious intents). If the computer resides on a safe network, usually there is little potential damage as long as the Firewall is turned off for a short time.
Check with your Network Administrator to ensure it is safe to temporarily turn off the Windows Firewall.
To turn off the Windows Firewall, do the following:
- In the Windows search box on the taskbar, enter Windows Defender Firewall.
- Press ENTER.
- Select Turn Windows Firewall on or off.
- The Customize Settings window displays.
- Select Turn off Windows Firewall (not recommended).
- Click OK.
It is necessary to define which users have access and launching permissions in DCOM applications on either the local computer or on computers belonging to the local network and domain. Consequently, it is necessary to ensure that both computers have access to the same user name and password combinations. User names and passwords must match on all the computers that require OPC access:
- When using Windows workgroups, each computer must have a complete list of all user accounts and passwords (see Add a Local User, below).
- When using a single Windows domain, user accounts are properly synchronized by the domain controller (see Add a Domain User, below).
- When using multiple Windows domains, you must either establish a trust between domains, or create a local user account for each affected computer.
Add a Local User
If the computer is in a workgroup, do the following to create a user account:
- In the Windows search box on the taskbar, enter MMC.
- Press ENTER.
- The Microsoft Management Console starts.
NOTE: Only users with administrator privileges can use the MMC. If the UAC (User Account Control) is enabled, it may happen that you are prompted for administrator password or confirmation.
- In the Console left pane, select Local Users and Groups.
NOTE: If Local Users and Groups is not visible, it is probably because this snap-in has not been added to MMC. Proceed as follows to install it:
a. In the Console window, select File > Add/Remove Snap-in.
b. Select Local Users and Groups and click Add.
c. Select the Local computer option, click Finish and then click OK.
- Select the Users folder.
- In the Console window, select Action > New User.
- In the New User dialog box, enter the appropriate information:
a. In the User name field, enter a name for the user (for example, OPCUser).
b. Enter the password and confirm it.
It is important to specify the password not leaving the field empty, because it is not possible to establish communication if a user account does not have a password.
c. Clear the option User must change password at next logon.
d. Select the following options: User cannot change password and Password never expires.
- Click Create.
- Click Close.
Add a Domain User
If the computer is in a domain, to create a user account do the following:
- In the Windows search box on the taskbar, enter Control Panel.
- Press ENTER.
- In the Control Panel window, select System and Security > Administrative Tools > Active Directory Users and Computers.
- Select Domain and then select the Users folder.
- In the Console window, select Action > New User.
- In the New User dialog box, enter the appropriate information:
a. In the User name field, enter a name for the user (for example, OPCUser).
b. Enter the password and confirm it.
It is important to specify the password not leaving the field empty, because it is not possible to establish communication if a user account does not have a password. The password must respect the domain password policies.
c. Clear the option User must change password at next logon.
d. Select the following options: User cannot change password and Password never expires.
- Click Next.
- Click Finish.
System-wide changes affect all Windows applications that use DCOM, including the OPC application. In addition, since OPC client applications do not have their own DCOM settings, they are affected by the changes to the default DCOM configuration. To modify the configuration, do the following procedure.
Display My Computer Properties
- In the Windows search box on the taskbar, enter DCOMCNFG.
- Press ENTER.
- The DCOM configuration process is initiated.
- In the Component Services window, under Console Root, expand Component Services, and expand the Computers folder.
- My Computer is in the Computers folder.
- Right-click My Computer and select Properties to display the My Computer Properties dialog box.
Set up Default Properties
- In the My Computer Properties dialog box, click the Default Properties tab.
- Ensure that three specific options are set as follows:
a. Select the Enable Distributed COM on this computer option.
NOTE: If this option is modified, it is necessary to reboot the computer.
b. From the Default Authentication Level drop-down list, select Connect.
c. From the Default Impersonation Level drop-down list, select Identify.
NOTE: The components needed to verify Desigo CC OPC DA server are indicated in bold type.
d. Click Apply.
Set up Default Protocols
- In the My Computer Properties dialog box, click the Default Protocols tab.
Set the DCOM Protocols to Connection-oriented TCP/IP.
- Click Apply.
NOTE: OPC communication only requires connection-oriented TCP/IP, so it is possible to delete the rest of DCOM protocols. However, if these protocols are indeed required for non-OPC applications; you must not remove them. The only consequence is that timeouts may take a little longer to reach Test Mode.
Set up COM Security
Windows uses the COM Security tab to set the system-wide Access Control List (ACL) for all the objects. The ACLs are included for Launch/Activation (ability to start an application), and Access (ability to exchange data with an application).
To add the correct permissions, do the following on the server machine:
- In the My Computer Properties dialog box, click the COM Security tab.
- In the Access Permissions section, click Edit Limits.
- In the Access Permission dialog box, do the following:
a. Add ANONYMOUS LOGON and Everyone to the list of Group or user names.
b. For both, select the Local Access and Remote Access options.
c. Click OK.
- In the Access Permissions section, click Edit Default.
- In the Access Permission dialog box, do the following:
a. Add Everyone to the list of Group or user names.
b. Select the Local Access and Remote Access options.
c. Click OK.
- In the Launch and Activation Permissions section, click Edit Limits.
- In the Launch and Activation Permission dialog box, do the following:
a. Add Everyone to the list of Group or user names.
b. Select the following options: Local Launch, Remote Launch, Local Activation, and Remote Activation.
c. Click OK.
- In the Launch and Activation Permissions section, click Edit Default.
- In the Launch and Activation Permission dialog box, do the following:
a. Add Everyone to the list of Group or user names.
b. Select the following options: Local Launch, Remote Launch, Local Activation, and Remote Activation.
c. Click OK.
- In the My Computer Properties dialog box, click Apply.
NOTE: If the computer is in a workgroup, the process requires adding the NETWORK user by performing the same steps as for the Everyone user as follows:
- In the Access Permissions section, click Edit Limits, and do the following:
a. In the Access Permission dialog box, add NETWORK to the Group or user names list.
b. Select the Local Access and Remote Access options.
c. Click OK.
- In the Access Permissions section, click Edit Default, and do the following:
a. In the Access Permission dialog box, add NETWORK to the Group or user names list.
b. Select the Local Access and Remote Access options.
c. Click OK.
- In the Launch and Activation Permissions section, click Edit Limits, and do the following:
a. In the Launch and Activation Permission dialog box, add NETWORK to the Group or user names list.
b. Select the following options: Local Launch, Remote Launch, Local Activation, and Remote Activation.
c. Click OK.
- In the Launch and Activation Permissions section, click Edit Default, and do the following:
a. In the Launch and Activation Permission dialog box, add NETWORK to the Group or user names list.
b. Select the following options: Local Launch, Remote Launch, Local Activation, and Remote Activation.
c. Click OK.
Once the system-wide DCOM settings are properly configured, it is necessary to configure the server-specific DCOM settings. To modify the configuration, do the following:
- In the Windows search box on the taskbar, enter DCOMCNFG.
- Press ENTER.
- The DCOM configuration process is initiated.
- In the Component Services window, under Console Root, expand Component Services, and then expand the Computers folder.
- My Computer is in the Computers folder.
- Expand My Computer and select DCOM Config.
- In the list of objects in the right window pane, right-click [company name].OPC.Server.DA and select Properties.
- The OPC DA Server Properties dialog box displays. In the OPC-server-specific settings, you must change only the Identity tab settings. The rest of the tabs can refer to the default configuration previously set (see Configuring Default System-wide DCOM Settings).
- In the OPC DA Server Properties dialog box, select the Identity tab.
- Select the This user option.
- In the User field, enter the User Account name created for OPC (for example, OPCUser).
- Enter the password and confirm it.
- Click OK.
Once the OPC client/server communication has been established, it is important to secure the computers again by turning on the Windows Firewall. This will block all unauthorized network traffic. It is also necessary to provide exceptions on two main levels:
- Application level. Specify which applications are able to respond to unsolicited requests:
- Add OPCEnum and [company name].OPC.Server.DA to the allowed applications list.
- Port-and-protocol level. Specify that the firewall must allow or deny traffic on a specific port for either TCP or UDP traffic:
- Open 135 port with TCP protocol.
This port is commonly used for allowing the clients to discover and use a DCOM service (for example, OPCEnum).
Apart from the server computer, you must also set the firewall on the client computer so that callbacks can be received. In this case, you must add the OPC clients to the allowed applications list.