The DCOM Configuration

The security, in every OPC system, is very important. Some important information can be obtained from

an OPC Data Server, so the client access should be monitored.

To manage the DCOM security you can execute the DCOMCNFG.EXE application. The figure below shows

the initial window of DCOMCNFG:

It shows all configurable COM/DCOM components. To manage computer options, click on the desired computer

with the right button of the mouse and select "Properties". The above figure shows the desired window.

To allow HTTP connections with COM the option Enable COM Internet Services on this computer  should be enabled.

The Default Authentication Level option define the authentication level in a connection client/server. This consists

of verify the credential of the server or client. Six options are available:

None - No authentication is required

Connect and Default- All credentials are verified when a new connection is made.

Call - All credentials are verified at the beginning of every call.

Packet - All credentials are verified on every received packet.

Packet integrity - All credentials and packet integrity are verified on every received packet.

Packet privacy - All credentials and packet integrity are verified on every received packet and encrypted.

The Impersonation Level option define allowed operations can be done with the client's identity. Four options are

available:

Anonymous - The client is anonymous to the the server. The server can impersonate the client, but the

credential do not contain any information about it.

Identify - The authentication is allowed and the server can impersonate the client to execute some actions.

Impersonate - The server can impersonate the client using it's security options.

Delegate - The server can impersonate the client and the credential can be sent to any number of machines.

All of above modifications affect all DCOM objects.

If you need to determine witch user's process can launch or access a server, goes to Default Security,

like the figure below:

The Access Permissions box allows to define witch process can access a server based on its running

user and the Launch and Activation Permissions box allows to define witch process can launch a

server based on its running user. These modifications affect all DCOM objects.

The image below shows all transport protocols available on the computer. It is possible to configure the

used port at the protocol properties. This configuration is important when the connection is under a

firewall and only specific ports can be accessed.

The DCOM component properties allow to configure specific properties for each component.

The initial window is showed below:

The only option available in this window is the Authentication Level. All options are

the same as previously mentioned.

The Location properties defines on wich computer a COM Application will run.

Three options are available:

  On the computer where the data is located

  On this computer

  The specified computer

To customize the Access Permissions and the Launch Permissions you can access

the Security tab. The below screen shows all possible options:

The Endpoints tab defines which transport protocol should be used for each COM Application.

The last tab is Identify. It defines which account should be used to run each DCOM Object.

Four options are available:

Interactive User - The object is launched by the current user. If the server is initiated from

a remote computer, the local user will see the interface application.

Launching User - The server has its own process and a new process is created for each client call.

This User - All servers will be launched by the specified user and only one process is created.

The System Account - The server will run like a process, but is available only for implemented

service servers.