XRatel Software on Windows XP SP2

On August 2004, Microsoft released Windows XP Service Pack 2 as an immediate action for several security flaws on Windows XP.

It was mainly crafted to reduce common available attack surfaces and increase the security of Windows XP.

The Service Pack 2 will reduce the attack surfaces by providing:

1. Improved Windows Firewall to enhance protection against network based attacks

2. Improved RPC and DCOM communication security

3. Improved memory protection

4. Improved Internet Explorer security

Most OPC systems (Clients and Servers) use DCOM to communicate over a network and they will suffer impact due the

improvements contained in Service Pack 2. When Service Pack 2 is installed with all default settings, all DCOM

communications may fail.

Basically, two security improvements will prevent OPC Servers and Clients to work. The first one is Windows XP

firewall settings. By default, Windows XP firewall will prevent all DCOM communications (TCP port 135). The second

one is a restriction which will make DCOM ignore callbacks coming from anonymous users. When a typical OPC Server

communicates with OPC Clients the server sends callbacks back to the client and this security improvement will block

callbacks from the server.

The instructions provided here will help you to configure all XRatel products to operate under Windows XP SP2.

If you use another firewall, you must add TCP port 135 to enable DCOM communications

I - Windows Firewall

I.a - by Windows

Some changes in Windows Firewall are needed to make OPC Servers communicate over a network when using

Windows XP Service Pack 2. You should create an exception to allow the OPC Server to communicate using DCOM

and setup the appropriate port for it.

1) Open the Security Center in Control Panel and click Windows Firewall.

By default the windows firewall is enabled. It is NOT recommended to disable the firewall, except for troubleshooting purposes.

2) Click the "exceptions" tab.

3) Add all XRatel OPC Servers (XRPMSVR.EXE/XRSNSVR.EXE found in Bin folder under PerfMon/SNMP main folder).

4) Add the OPC Enumerator Utility (OPCEnum.exe found in the Windows\System32 folder).

5) Add TCP port 135 to enable DCOM communications.

I.b - by Command Prompt (CMD)

You can configure the DCOM by command line following these steps:

1) Open the Command Prompt. (CMD)

2) To type this command line "netsh firewall set service RemoteAdmin"

II - DCOM Configuration

Some changes in DCOM configuration are needed to make the OPC Server communicate over a network when

using Windows XP Service Pack 2. By default, DCOM will ignore callbacks from anonymous logons.

1) Open the DCOM Configuration Utility. (DCOMCNFG.EXE)

2) Expand the Component Services tree node, right-click the My Computer icon and click Properties.

3) Click the COM Security tab. You should see two Edit Limits button. Click the Edit Limits button from Access Permissions group.

4) Check the Remote Access Box for the user ANONYMOUS_LOGON and click OK.

This setting is necessary for some OPC Servers and Clients that set the DCOM Authentication Level to None.

The OPC Enumeration Utility (OPCENUM.EXE) also requires changes in this configuration.

5) Click the Edit Limits button from Launch and Activation Permissions group. Check the Remote Launch Box

and the Remote Activation Box for the user Everyone and click OK.

The Everyone group includes all authenticated users. You may wish to grant these permissions to a smaller

group of users. One way to accomplish this is to create a group named "XRatel Users" and associate all user

accounts with this group. Then you should grant Launch and Activation permissions to "XRatel Users" group

instead of Everyone.

III - More Information

For a list of changes in Service Pack 2, check the following link.

Microsoft Windows SP2 Changes

If you still needs help, please contact our support department.