The article has been updated successfully.Configuring Windows XP SP2, Windows 2003 Server SP1 and R2 for Elipse applications
1) Introduction
Anxiously awaited by Windows XP users, Service Pack 2 has brought a series of updates and improvements to this operational system, mainly in the area of data security. One of the most important new features was the presence of a software firewall, which is now an intrinsic part of the operational system itself.
Firewalls are barriers interposed between the private and the external networks to avoid attacks or invasions; that is, they are security mechanisms (devices) that protect the company's hardware and software resources from the dangers to which the system is exposed. These security mechanisms are hardware- and software-based, and follow the security policy established by the company.
Apart from this new feature, COM and DCOM models also underwent changes. Microsoft's COM (Component Object Model) is an object-oriented system, distributed and independent from platform, destined to the creation of binary software components that can interact among each other. DCOM (Distributed Component Object Model) allows the applications to be distributed between the most relevant places to you and the application. DCOM connection protocol offers support in a transparent form, aiming at reliable and efficient communication among COM components. For this reason, OPC communication drivers use this protocol.
With these modifications in Windows, some configurations become necessary for the proper work of Elipse systems, as the next sections will show.
2) Adjustments for Elipse systems
Windows Firewall
In the first initialization after Service Pack 2 had been installed, a wizard asks you if from this section on Firewall must either be activated or remain disabled. From this moment on, a new shortcut is available on the control panel, called Windows Firewall, as seen on Picture 1.
Picture 1 – Activating Firewall
If you choose to disable Firewall, no other measure at firewall level will be necessary for OPC Server to work, or to any other functionality of Elipse's products (You must jump to DCOM session). In case you need to activate Firewall, some steps must be followed. First of all, it is imperative that the option Don't allow exceptions is unchecked. Otherwise, all exceptions would be ignored, and DCOM (the object of this article) operation would become unviable on the network. Once this precaution is taken, it will be necessary to inform some exceptions in the tab Exceptions, as seen in Picture 2.
Picture 2 – Including exceptions
Basically, you must inform TCP and UDP ports number 135 (used by DCOM), apart from TCP port number 6515, responsible for Viewer connection to E3Server and Hot-Standby and Studio connection to a remote E3Server. As for the programs exceptions, inform E3Server.exe and E3Run.exe in case of Elipse SCADA. In case of Elipse OPC Drivers, inform ED_OPC.exe. Once it is done, the application is ready to work with Firewall.
DCOM
For a long time, Windows XP and Windows 2003 Server users for stand-alone and domestic applications have been asking themselves about the real usefulness of DCOM in their daily tasks. However, special applications such as SCADA and the like cannot dispense with this functionality. Changes were made at DCOM to get around security failures that were made evident with the proliferation of worm and virus attacks based on this communication protocol, without damaging applications that effectively need DCOM. An example of DCOM evolution when Service Pack 2 was launched is that older versions of COM server application have no way of restricting an application so that it can only be used locally without being exposed on the network via DCOM. When users have access to a COM server application, they have access to both local and remote use.
So, some measures must be taken so that the application does not stop working as before: to configure this option from the user's interface, the administrator must open the Component Services (dcomcnfg) manager and select Properties in the context menu of the computer to be configured, as seen in Picture 3.
Picture 3 – Selecting the computer to be configured
A dialog box will be displayed, as seen in Picture 4, and security must be configured in the tab COM Security.
Picture 4 – Configuring security
In Edit Limits, in the area Access Permissions, it is necessary to check the option Remote Access for ANONYMOUS LOGON, EVERYONE and SYSTEM, as seen in Picture 5.
Picture 5 – Defining access permissions in Access Permission
Finally, in Edit Limits, in the area Launch and Activation Permissions, you must add ANONYMOUS LOGON, EVERYONE and SYSTEM users, and check Remote Launch and Remote Activation options for each one, as seen in Picture 6:
Picture 6 – Defining access permissions in Launch Permission
It is also necessary to grant access permissions to E3 Server to ANONYMOUS LOGON user. To do this, select "Properties" option from context menu in Component Services (right-click on E3 Server icon), as seen in Picture 7:
Picture 7 – Selecting E3 Server properties
Select the tab Security, shown in Picture 8:
Picture 8 – Configurando a segurança do E3Server
In Launch and Activation Permissions area, click on "Edit" button and add ANONYMOUS LOGON and SYSTEM users; check Remote Launch and Remote Activation options, as seen in Picture 9:
Picture 9 – Setting permissions to run E3Server
In Access Permissions area, click on "Edit" button and add ANONYMOUS LOGON and SYSTEM users once again; check Remote Access option, as seen in Picture 10:
Picture 10 – Setting access permission for E3 Server
The alterations performed in the Component Services manager now make DCOM work exactly the same way as it did in Windows XP before Service Pack 2. It is important to notice that remote computers with Service Pack 2 installed must also adapt to this reality, because they will also refuse the connection with OPC Server.
3) Conclusion
By understanding better how Windows Firewall (which guarantees extra protection for the computer on the network) and DCOM (an important protocol used by OPC drivers) work, it is possible to design a configuration that makes sure Elipse's OPC drivers work the same way as they did in Windows XP previous edition.
The changes suggested here do not represent the only alternative to solve the problem in question. For more specific solutions, which expose the network even less than that, see:
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e791b3c9ae/02_CIF_Network_Protection.DOC
