• No results found

Windows XP SP2 configuration

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Windows XP SP2 configuration"

Copied!
18
0
0

Loading.... (view fulltext now)

Download now ( 18 Page )

Full text

(1)
(2)
(3)

Table of Contents

1 INTRODUCTION ... 1

1.1 NETWORK CHANGES IN WINDOWS XPSERVICE PACK 2... 1

1.1.1 DCOM Security... 1

1.1.2 Windows Firewall... 2

2 EFFECT OF WINDOWS SERVICE PACK 2 ON OMNICAST ... 4

3 REQUIRED MODIFICATION ... 5

3.1 FIREWALL... 5

3.1.1 Client ... 5

3.1.2 Server ... 5

3.2 ACCESS CONTROL LIST... 6

3.3 COMSECURITY... 10

4 EFFECT OF WINDOWS SERVICE PACK 2 ON MSDE AND SQL SERVER 2000 ... 13

(4)

List of tables

Table 1 - Default Restrictions Settings ... 1

List of Figures

Figure 1 - Windows Firewall General Tab ... 2

Figure 2 - Firewall Security Alert ... 2

Figure 3 - Windows Security Center... 3

Figure 4 - firewall.cpl ... 3

Figure 5 - DCOM function call failed... 4

Figure 6 - Local Security Settings ... 6

Figure 7 - Two new DCOM policies... 7

Figure 8 - DCOM: Machine Access Restrictions ... 7

Figure 9 - Access Permissions ... 8

Figure 10 - DCOM: Machine Launch Restrictions ... 8

Figure 11 - Launch Permissions... 9

Figure 12 - Component Services... 10

Figure 13 - COM Security... 10

Figure 14 - COM Security Access Permission ... 11

(5)

1 Introduction

The purpose of this document is to demonstrate the new network protection changes to be included in Windows XP Service Pack 2 and as a result of these changes, the

modifications made to the Omnicast software.

1.1 Network Changes in Windows XP Service Pack 2

The network changes will directly affect Omnicast’s functionality. The three main changes are the DCOM Security, RPC Interface Restriction and the Windows Firewall. 1.1.1 DCOM Security

COM (Component Object Model) will now provide computer wide access controls that will oversee access to all call, activation, or launch requests on the computer. There will be an Access Control List for launch permissions to cover activate and launch rights, and an Access Control List for access permissions to cover all call rights. The Access Control List can be configured through the Component Services Microsoft Management Console. The following table provides the default restriction settings for Windows XP SP2:

Permission Administrator Everyone (Users on the same Domain)

Anonymous (All users)

Launch Local (Launch)

Local Activate Remote (Launch) Remote Activate

Local (Launch) Local Activate

Access Local (Call)

Remote (Call)

Local (Call) Table 1 - Default Restrictions Settings

The default restrictions settings for COM server can be modified. However, the

application-specific launch permission Access Control List needs to give the appropriate users activation rights so application and Windows components that use DCOM do not fail.

(6)

1.1.2 Windows Firewall

Windows Firewall in Service Pack 2 is turned on by default.

Figure 1 - Windows Firewall General Tab

If you run a program such as Omnicast that needs to receive information from the internet or a network, a window comes up asking if you want to block or unblock the connection.

Figure 2 - Firewall Security Alert

(7)

If you chose to unblock the connection, Windows Firewall creates an exception and will no longer ask you about this program again.

Windows Firewall has three modes: On, On with no exceptions and Off.

• On is the default mode, in this mode the firewall blocks all requests to connect to your computer, except for requests to programs selected in the Exceptions tab. • On with no exceptions, the firewall blocks all requests to connect to your

computer including requests to programs selected in the Exceptions tab. • The last mode, off; turns off the firewall completely.

To change the Firewall settings:

1. Click Start and then Control Panel 2. Click Windows Security Center 3. Click Windows Firewall

Figure 3 - Windows Security Center

Or:

1. Click on start and then Run 2. Type in Firewall.cpl and click OK

(8)

2 Effect of Windows Service Pack 2 on Omnicast

The new default DCOM Security implemented in Windows Service Pack 2 cannot be changed. Hence, Genetec had to modify its Omnicast software accordingly. Omnicast version 3.0 Service Release 2 will be compatible with Windows XP Service Release 2. We decided to add an additional user account to the Windows operating system. The new user, OmnicastRPCUser will be added automatically through our server install shield on the Directory server. This will enable Omnicast to connect remotely through DCOM.

Note: Do not modify the OmnicastRPCUser. If you do, you will not be able to login into

Omnicast through the Local Area Network, since the new DCOM security will prevent all DCOM function calls.

Figure 5 - DCOM function call failed

The new DCOM security only blocks the connection to the LAN. However, the connection through IVS (or internet) works fine as long as the Windows Firewall is disabled.

(9)

3 Required

Modification

The following modifications are required in order to use Omnicast. The Firewall and Access Control List modifications should be preformed on all Clients and Servers (including the Main Directory). The last modification, COM Security should only be applied on the Directory.

3.1 Firewall

3.1.1 Client

It is necessary to disable the Windows Firewall for the Client PC. When trying to use any of the Omnicast application for the first time, a pop up windows from the Windows Security center (as explained in section 1.1.2, Figure 2) will come up asking to block or unblock the program’s connection to the internet. Simply click on unblock, and the program should be able to establish a connection through the firewall.

3.1.2 Server

On the server, the Windows firewall has to be disabled whether the connection is LAN or IVS:

1. To do this open the Windows Firewall as described in section 1.1.2 2. Select Off under the General Tab

(10)

3.2 Access Control List

The Access Control List has to be modified so that all Servers and Clients can connect to the Main Directory (DCOM server). To modify the ACL do the following:

1. Click on Start and then on Control Panel 2. Open up the Administrative Tools

3. Open the Local Security Policy

4. Under the Security Settings, open the Local Policies and select Security Options (as shown below).

Figure 6 - Local Security Settings

5. There are two new policies that were added to the Security Options; DCOM: Machine Access Restriction and DCOM: Machine Launch Restrictions. These are the two policies that need to be modified in order for DCOM to work. The default settings for these policies are shown in Table 1.

(11)

Figure 7 - Two new DCOM policies

6. Right click on DCOM: Machine Access Restriction and select Properties. The following window will appear:

Figure 8 - DCOM: Machine Access Restrictions

7. Click on Edit Security

(12)

Figure 9 - Access Permissions

9. Click OK (twice).

10. Right Click on the DCOM: Machine Launch Restrictions and select properties.

Figure 10 - DCOM: Machine Launch Restrictions

11. Click on Edit Security.

12. Make sure the Administrator (on the Network Domain) and the Everyone group have Local Launch, Remote Launch, Local Activation and Remote Activation permissions checked.

(13)

Figure 11 - Launch Permissions

13. Click OK (twice)

(14)

3.3 COM Security

This last modification should be done only on the Main Directory Server, which represents the DCOM server where other Clients and Servers connect to.

1. Click on Start and then on Control Panel 2. Open up the Administrative Tools

3. Open the Component Services

4. Under the Component Services, open Computer. You should be able to see My Computer.

Figure 12 - Component Services

5. Right click on My Computer and select Properties. 6. Go to the COM Security tab.

Figure 13 - COM Security

(15)

7. Click on Edit Default under Access Permissions.

Figure 14 - COM Security Access Permission

8. Add the Administrators group from the local machine and give it Local and Remote access.

9. Click OK

10. Click on Edit Default under the Launch and Activation Permissions.

(16)

11. Add the Administrators group from the local machine and give it Local Launch, Remote Launch, Local Activation and Remote Activation permissions.

12. Click OK.

13. Click Apply in the My Computer Properties window and then OK. 14. Reboot the PC.

(17)

4 Effect of Windows Service Pack 2 on MSDE and SQL

Server 2000

After installing Windows XP service Pack 2, the firewall may block communication between your computer and a database located on another computer on the network. If you are configured as such and are experiencing database connectivity issues, please visit the following site for more details.

(18)

Appendix A - Technical Support

In Canada or the U.S.A., customers can reach Genetec’s Technical Assistance Center (GTAC) using any one of the following methods:

1. Go to Genetec’s World Wide Web technical support site: http://www.genetec.com/support.asp

2. Send questions, via e-mail, to: [email protected]

3. Telephone questions to the GTAC at: 1.514.684.8000, option 2

4. FAX questions to the GTAC at: 1.514.684.8887

No matter which method is used to reach the GTAC, customers should be ready to provide all relevant information describing the problem or question.

Please always have your System ID handy.

References

Download now ( PDF - 18 Page - 472.90 KB )

Related documents

AN-022 Protégé Client / Server DCOM Configuration Windows XP SP2

Service Pack 2 for Windows XP has also made some security enhancements to DCOM; two in particular need to be taken into consideration when using Protégé System Management Suite on

Configuring Windows Firewall for Remote Connection in Windows XP SP2:

Once you have completed entering the 4 Alnet Systems Ports above, your Exceptions window should look something like this.. Your Windows Firewall is now configured to accept

Microsoft Windows DCOM Configuration. Windows XP SP3 and Server 2003 SP2 Configuration Guide

Ensure that the following Users / Groups are added and that all have Local and Remote Access allowed (this is the same as the Access permission configuration in the Default

Table of Contents. Safety Warnings..3. Introduction.. 4. Host-side Remote Desktop Connection.. 5. Setting Date and Time... 7

To connect to an eXMP running Windows XP Embedded from a host PC, use Microsoft’s “Remote Desktop Connection” application, which comes with Windows XP.. If you are not using

Unicenter Patch Management

Since this policy is for applying the security roll-up package on XP Professional SP2 machines, select Microsoft Windows XP Professional SP2 x86 32 EN from the filtered list,

for Windows 2003 with SP1 DCOM configuration

To assign local access permisions, on the COM Secutity tab click Edit Default in the appropriate section, search for the local NETWORK SEVICE account and assign it local

Microsoft Windows XP SP2 and windream

This document will help you to configure a windream client PC (windream version 3.x) after the installation of service pack 2 for Microsoft Windows XP.. To avoid operating trouble

Wireless Access Point n Wireless with 4 Port 10/100 Switch

On Windows XP SP2 and later, Firewall support is provided by Windows Firewall. Unlike earlier versions, Windows XP SP2 can be used on a system that you intend to use as a UPnP