• No results found

Latitude NVMS Windows XP SP2 Configuration

N/A
N/A
Protected

Academic year: 2021

Share "Latitude NVMS Windows XP SP2 Configuration"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

Latitude NVMS

(2)

Table of Contents

1 INTRODUCTION ... 1

1.1 NETWORK CHANGES IN WINDOWS XPSERVICE PACK 2... 1

1.1.1 DCOM Security... 1

1.1.2 Windows Firewall... 2

2 EFFECT OF WINDOWS SERVICE PACK 2 ON LATITUDE NVMS ... 4

3 REQUIRED MODIFICATION ... 5

3.1 FIREWALL... 5

3.2 ACCESS CONTROL LIST... 6

3.3 COMSECURITY... 10

(3)

List of tables

Table 1 - Default Restrictions Settings ... 1

List of Figures

Figure 1 - Windows Firewall General Tab ... 2

Figure 2 - Firewall Security Alert ... 2

Figure 3 - Windows Security Center... 3

Figure 4 - firewall.cpl ... 3

Figure 5 - DCOM function call failed... 4

Figure 6 - Local Security Settings ... 6

Figure 7 - Two new DCOM policies... 7

Figure 8 - DCOM: Machine Access Restrictions ... 7

Figure 9 - Access Permissions... 8

Figure 10 - DCOM: Machine Launch Restrictions ... 8

Figure 11 - Launch Permissions... 9

Figure 12 - Component Services... 10

Figure 13 - COM Security... 10

Figure 14 - COM Security Access Permission ... 11

(4)

1 Introduction

The purpose of this document is to demonstrate the new network protection changes to be included in Windows XP Service Pack 2 and as a result of these changes, the

modifications made to the Latitude NVMS software.

1.1 Network Changes in Windows XP Service Pack 2

The network changes will directly affect Latitude NVMS’s functionality. The three main changes are the DCOM Security, RPC Interface Restriction and the Windows Firewall.

1.1.1 DCOM Security

COM (Component Object Model) will now provide computer wide access controls that will oversee access to all call, activation, or launch requests on the computer. There will be an Access Control List for launch permissions to cover activate and launch rights, and an Access Control List for access permissions to cover all call rights. The Access Control List can be configured through the Component Services Microsoft Management Console. The following table provides the default restriction settings for Windows XP SP2:

Permission Administrator Everyone (Users on the same Domain)

Anonymous (All users)

Launch Local (Launch)

Local Activate Remote (Launch) Remote Activate

Local (Launch) Local Activate

Access Local (Call)

Remote (Call)

Local (Call) Table 1 - Default Restrictions Settings

The default restrictions settings for COM server can be modified. However, the

application-specific launch permission Access Control List needs to give the appropriate users activation rights so application and Windows components that use DCOM do not fail.

(5)

1.1.2 Windows Firewall

Windows Firewall in Service Pack 2 is turned on by default.

Figure 1 - Windows Firewall General Tab

If you run a program such as Latitude NVMS that needs to receive information from the internet or a network, a window comes up asking if you want to block or unblock the connection.

(6)

If you chose to unblock the connection, Windows Firewall creates an exception and will no longer ask you about this program again.

Windows Firewall has three modes: On, On with no exceptions and Off.

• On is the default mode, in this mode the firewall blocks all requests to connect to your computer, except for requests to programs selected in the Exceptions tab. • On with no exceptions, the firewall blocks all requests to connect to your

computer including requests to programs selected in the Exceptions tab. • The last mode, off; turns off the firewall completely.

To change the Firewall settings:

1. Click Start and then Control Panel 2. Click Windows Security Center 3. Click Windows Firewall

Figure 3 - Windows Security Center Or:

1. Click on start and then Run 2. Type in Firewall.cpl and click OK

(7)

2 Effect of Windows Service Pack 2 on Latitude NVMS

The new default DCOM Security implemented in Windows Service Pack 2 cannot be changed. Hence, DVTel had to modify its Latitude NVMS software accordingly. Latitude NVMS version 3.0 Service Release 2 will be compatible with Windows XP Service Release 2.

We decided to add an additional user account to the Windows operating system. The new user, OmnicastRPCUser will be added automatically through our server install shield on the Directory server. This will enable Latitude NVMS to connect remotely through DCOM.

Note: Do not modify the OmnicastRPCUser. If you do, you will not be able to login into

Latitude NVMS through the Local Area Network, since the new DCOM security will prevent all DCOM function calls.

Figure 5 - DCOM function call failed

(8)

3 Required Modification

The following modifications are required in order to use Latitude NVMS. The Firewall and Access Control List modifications should be preformed on all Clients and Servers (including the Main Directory). The last modification, COM Security should only be applied on the Directory.

3.1 Firewall

3.1.1 Client

It is not necessary to disable the Windows Firewall for the Client PC. When trying to use any of the Latitude NVMS application for the first time, a pop up windows from the Windows Security center (as explained in section 1.1.2, Figure 2) will come up asking to block or unblock the program’s connection to the internet. Simply click on unblock, and the program should be able to establish a connection through the firewall.

3.1.2 Server

On the server, the Windows firewall has to be disabled whether the connection is LAN or IVS:

1. To do this open the Windows Firewall as described in section 1.1.2 2. Select Off under the General Tab

(9)

3.2 Access Control List

The Access Control List has to be modified so that all Servers and Clients can connect to the Main Directory (DCOM server). To modify the ACL do the following:

1. Click on Start and then on Control Panel 2. Open up the Administrative Tools

3. Open the Local Security Policy

4. Under the Security Settings, open the Local Policies and select Security Options (as shown below).

Figure 6 - Local Security Settings

(10)

Figure 7 - Two new DCOM policies

6. Right click on DCOM: Machine Access Restriction and select Properties. The following window will appear:

Figure 8 - DCOM: Machine Access Restrictions 7. Click on Edit Security

(11)

Figure 9 - Access Permissions 9. Click OK (twice).

10. Right Click on the DCOM: Machine Launch Restrictions and select properties.

Figure 10 - DCOM: Machine Launch Restrictions 11. Click on Edit Security.

(12)

Figure 11 - Launch Permissions 13. Click OK (twice)

(13)

3.3 COM Security

This last modification should be done only on the Main Directory Server, which represents the DCOM server where other Clients and Servers connect to.

1. Click on Start and then on Control Panel 2. Open up the Administrative Tools

3. Open the Component Services

4. Under the Component Services, open Computer. You should be able to see My Computer.

Figure 12 - Component Services

5. Right click on My Computer and select Properties. 6. Go to the COM Security tab.

(14)

7. Click on Edit Default under Access Permissions.

Figure 14 - COM Security Access Permission

8. Add the Administrators group from the local machine and give it Local and Remote access.

9. Click OK

10. Click on Edit Default under the Launch and Activation Permissions.

(15)

11. Add the Administrators group from the local machine and give it Local Launch, Remote Launch, Local Activation and Remote Activation permissions.

12. Click OK.

(16)

Appendix A - Technical Support

References

Related documents

Service Pack 2 for Windows XP has also made some security enhancements to DCOM; two in particular need to be taken into consideration when using Protégé System Management Suite on

Once you have completed entering the 4 Alnet Systems Ports above, your Exceptions window should look something like this.. Your Windows Firewall is now configured to accept

Ensure that the following Users / Groups are added and that all have Local and Remote Access allowed (this is the same as the Access permission configuration in the Default

To connect to an eXMP running Windows XP Embedded from a host PC, use Microsoft’s “Remote Desktop Connection” application, which comes with Windows XP.. If you are not using

Since this policy is for applying the security roll-up package on XP Professional SP2 machines, select Microsoft Windows XP Professional SP2 x86 32 EN from the filtered list,

To assign local access permisions, on the COM Secutity tab click Edit Default in the appropriate section, search for the local NETWORK SEVICE account and assign it local

This document will help you to configure a windream client PC (windream version 3.x) after the installation of service pack 2 for Microsoft Windows XP.. To avoid operating trouble

On Windows XP SP2 and later, Firewall support is provided by Windows Firewall. Unlike earlier versions, Windows XP SP2 can be used on a system that you intend to use as a UPnP