作者: 艾顿中国 时间: 2008-11-4 11:10
Abstract<br/>The major goal of Windows XP Service Pack 2 is to reduce common available<br/>scenarios for malicious attack on Windows XP. The Service Pack will reduce the<br/>effect of most common attacks in four ways:<br/>1. Improvement in shielding Windows XP from the network<br/>a. RPC and DCOM communication enhancements<br/>b. Enhancements to the internal Windows firewall<br/>2. Enhanced memory protection<br/>3. Safer handling of e-mail<br/>4. Internet Explorer security enhancements.<br/>Most OPC Clients and Servers use DCOM to communicate over a network and<br/>thus will be impacted due to the changes in Service Pack 2. When Service Pack<br/>2 is installed with its default configuration settings, OPC communication via<br/>DCOM will cease to work. This paper describes the settings necessary to restore<br/>OPC communication when using XP Service Pack 2 (SP2).<br/>SP2 includes many changes and security enhancements, two of which directly<br/>impact OPC via DCOM. First new DCOM limit settings have been added.<br/>Secondly the software firewall included with XP has been greatly enhanced and<br/>is turned on by default.<br/>Since the callback mechanism used by OPC essentially turns the OPC Client into<br/>a DCOM Server and the OPC Server into a DCOM Client, the instructions<br/>provided here must be followed on all nodes that contain either OPC Servers or<br/>OPC Clients.<br/>Note: OPC communication that is confined to a single machine (using COM, but<br/>not DCOM) will continue to work properly after installing XP SP2 without<br/>following the instructions in this white paper.<br/>Windows Firewall<br/>The Windows Firewall allows traffic across the network interface when initiated<br/>locally, but by default stops any incoming unsolicited traffic. However, this<br/>firewall is exception based, meaning that the administrator can specify<br/>applications and ports that are exceptions to the rule and can respond to<br/>unsolicited requests.<br/>The firewall exceptions can be specified at two main levels, the application level<br/>and the port and protocol level. The application level is where you specify which<br/>applications are able to respond to unsolicited requests and the port and protocol<br/>level is where you can specify the firewall to allow or disallow traffic on a specific<br/>port for either TCP or UDP traffic. To make any OPC client/server application<br/>work via DCOM, changes need to be made on both levels.<br/>Note: Developers of OPC Products may want to automatically make the<br/>necessary firewall settings programmatically. Microsoft supplies the Windows<br/>Firewall API to support this:<br/>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetfwauthorizedapplication_name.asp<br/>Configuring the Firewall<br/>1. By default the windows firewall is set to On. This setting is recommended by<br/>Microsoft and by OPC to give your machine the highest possible protection. For<br/>trouble shooting, you may wish to temporarily turn off the firewall to prove or<br/>disprove that the firewall configuration is the source of any communication failure.<br/>Note: It may be appropriate to permanently turn off the firewall if the machine is<br/>sufficiently protected behind a corporate firewall. When turned off, the individual<br/>firewall settings outlined here need not be performed to allow OPC<br/>communication.<br/>2. Select the Exceptions tab and add all OPC Clients and Servers to the<br/>exception list. Also add Microsoft Management Console (used by the DCOM<br/>configuration utility in the next section) and the OPC utility OPCEnum.exe found<br/>in the Windows\System32 directory.<br/>In the Add a Program dialog, there is a listing of most applications on the<br/>machine, but note that not all of them show up on this list. Use the Browse<br/>button to find other executables installed on the computer.<br/>Note: Only EXE files are added to the exceptions list. For in-process OPC<br/>Servers and Clients (DLLs and OCXs) you will need to add the EXE applications<br/>that call them to the list instead.<br/>3. Add TCP port 135 as it is needed to initiate DCOM communications, and allow<br/>for incoming echo requests. In the Exceptions tab of the Windows Firewall, click<br/>on Add Port.<br/>In the Add a Port dialog, fill out the fields as follows:<br/>Name: DCOM<br/>Port number: 135<br/>Choose the TCP radio button<br/>DCOM Enhancements<br/>Service Pack 2 for Windows XP has also made some security enhancements to<br/>DCOM; two in particular need to be taken into consideration when using OPC on<br/>a network: First, the default Launch and Access permissions dialogs have been<br/>modified to allow the user to configure limits on the permissions given to<br/>applications using DCOM. Secondly, for each user now defined in the Launch<br/>and Access permissions, both local and remote access can be explicitly defined.<br/>作者: 艾顿中国 时间: 2008-11-4 11:17
A brief background on default Launch and Access permissions in DCOM: Launch<br/>permissions define who can launch a COM based application (such as an OPC<br/>server) both over the network or locally. Access permissions define who can<br/>access that application once it has been launched. Applications can get their<br/>Launch and Access permissions from one of three places: they can use explicitly<br/>defined setting for their application, they can use the default permissions or they<br/>can set their own permissions programmatically. Because an application could<br/>set its own permissions programmatically, the explicitly defined or default settings,<br/>although set properly, may not be used and therefore the user is not able to<br/>explicitly have control over these settings. To overcome this security flaw,<br/>Microsoft has added limits to the DCOM security settings from Launch and<br/>Access to limit the permissions that an application can use. This limit prevents<br/>the application from using permissions beyond what is specified in the DCOM<br/>configuration settings. By default the limits set by Service Pack 2 will not allow for<br/>OPC communications over the network.<br/>In addition to the new permissions limits, one must now specify if the user or<br/>group specified has permissions locally or remotely (or both). In order for OPC<br/>applications to work over the network with DCOM, the permissions must be set<br/>such that remote users can launch and/or access the OPC servers and clients on<br/>the machine.<br/>Configuring DCOM<br/>DCOM has settings for:<br/>- the machine default<br/>- each server<br/>The machine default settings are used when there are no custom settings for the<br/>specific COM (OPC) server. If a server has custom settings then changes in the<br/>default settings have no effect for this server<br/>Configuring DCOM Machine Default<br/>Follow these steps to configure the DCOM machine default settings for OPC<br/>Communications using Windows XP Service Pack 2:<br/>1. Go to Start -> Run and type DCOMCnfg and click on OK.<br/>2. Click on Component Services under the Console Root to expand it.<br/>3. Click on Computers under Component Services to expand it.<br/>4. Right click on My Computer in the pane on the right and select Properties<br/>5. Go to the COM Security tab and note these are the four permission<br/>configurations that we will have to edit:<br/>6. Edit the Limits for Access and Launch<br/>a. Access Permissions Edit Limits...<br/>You need to check the Remote Access box for the user labeled<br/>ANONYMOUS LOGIN in this dialog.<br/>Note: This setting is necessary for OPCEnum.exe to function and for some OPC<br/>Servers and Clients that set their DCOM 'Authentication Level' to 'None' in order<br/>to allow anonymous connections. If you do not use OPCEnum you may not need<br/>to enable remote access for anonymous users.<br/>b. Launch and Activation Permissions Edit Limits...<br/>You need to check the remote boxes for the user labeled Everyone in<br/>this dialog.<br/>Note: Since Everyone includes all authenticated users, it is often desirable to<br/>add these permissions to a smaller subset of users. One suggested way to<br/>accomplish this is to create a group named OPC Users and add all user<br/>accounts to this group that will execute any OPC Server or Client. Then<br/>substitute OPC Users everywhere that Everyone appears in these<br/>configuration dialogs.<br/>7. Edit Default Permissions for Access and Launch<br/>For each user (or group) that participates in OPC communication (e.g. OPC<br/>Users), make sure that both the Local Allow and Remote Allow checkboxes<br/>are both checked.<br/>Access Permissions per user:<br/>Launch and Activation permissions per user:<br/>Configuring DCOM for an individual OPC Server<br/>Follow these steps to configure DCOM for a specific COM server for OPC<br/>Communications using Windows XP Service Pack 2:<br/>1. Go to Start -> Run and type DCOMCnfg and click on OK.<br/>2. Click on Component Services under the Console Root to expand it.<br/>3. Click on Computers under Component Services to expand it.<br/>4. Right click on My Computer in the pane on the right and select Properties<br/>5. Double Click DCOM Config<br/>6. Select the OPC Server, right click the selection and then click Properties<br/>7. In the server property page select the Security tab<br/>8. Edit the server permissions settings. Select Customize and click the Edit<br/>button.<br/>9. Edit the Launch/Activation Permissions<br/>For each user (or group) that participates in OPC communication (e.g. OPC<br/>Users), make sure that both the Local Allow and Remote Allow<br/>checkboxes are both checked.<br/>Note: This setting is necessary for OPCEnum.exe to function and for some OPC<br/>Servers and Clients that set their DCOM 'Authentication Level' to 'None' in order<br/>to allow anonymous connections. If you do not use OPCEnum you may not need<br/>to enable remote access for anonymous users.<br/>Note: Since Everyone includes all authenticated users, it is often desirable to<br/>add these permissions to a smaller subset of users. One suggested way to<br/>accomplish this is to create a group named OPC Users and add all user<br/>accounts to this group that will execute any OPC Server or Client. Then<br/>substitute OPC Users everywhere that Everyone appears in these<br/>configuration dialogs.<br/>10. Edit the Access Permissions<br/>For each user (or group) that participates in OPC communication (e.g. OPC<br/>Users), make sure that both the Local Allow and Remote Allow<br/>checkboxes are both checked.<br/>Note: The Launch and Access users are not necessarily the same, even for a<br/>single client application. Windows uses the thread security token for the<br/>launch/activation but the process token for the access. The two security tokens<br/>may be different.<br/>Disclaimer<br/>Although the paper is based on best practices as judged by the authors, the<br/>OPC Foundation and the authors assume no responsibility for its accuracy or<br/>suitability for application by its readers.<br/>References<br/>1. MS White paper: Windows XP Service Pack 2 Overview<br/>Published: February 2004 For the latest information, please see<br/>http://msdn.microsoft.com/security<br/>2. Windows XP Service Pack 2 - Security Information for Developers<br/>http://msdn.microsoft.com/security/productinfo/XPSP2/default.aspx<br/>3. Changes to Functionality in Microsoft Windows XP Service Pack 2<br/>http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx<br/>作者: gstba 时间: 2008-11-5 22:01
<p>扯哪些没用的</p><p>简单说 就是 你能用WORD 调用EXCEL数据。2个软件之间通讯 就是OPC</p>作者: 艾顿中国 时间: 2008-11-6 11:12
也许有人会用得着!谢谢你批评!作者: dongbingqing 时间: 2009-3-13 20:57
<p>学习了</p>作者: 小步舞马 时间: 2009-3-16 14:05
协议没有中文版的吗?作者: dod1024 时间: 2009-4-23 17:55
<p>能否说的通俗易懂点呢??</p>