Latitude NVMS
Table of Contents
1 INTRODUCTION ... 1
1.1 NETWORK CHANGES IN WINDOWS XPSERVICE PACK 2... 1
1.1.1 DCOM Security... 1
1.1.2 Windows Firewall... 2
2 EFFECT OF WINDOWS SERVICE PACK 2 ON LATITUDE NVMS ... 4
3 REQUIRED MODIFICATION ... 5
3.1 FIREWALL... 5
3.2 ACCESS CONTROL LIST... 6
3.3 COMSECURITY... 10
List of tables
Table 1 - Default Restrictions Settings ... 1
List of Figures
Figure 1 - Windows Firewall General Tab ... 2Figure 2 - Firewall Security Alert ... 2
Figure 3 - Windows Security Center... 3
Figure 4 - firewall.cpl ... 3
Figure 5 - DCOM function call failed... 4
Figure 6 - Local Security Settings ... 6
Figure 7 - Two new DCOM policies... 7
Figure 8 - DCOM: Machine Access Restrictions ... 7
Figure 9 - Access Permissions... 8
Figure 10 - DCOM: Machine Launch Restrictions ... 8
Figure 11 - Launch Permissions... 9
Figure 12 - Component Services... 10
Figure 13 - COM Security... 10
Figure 14 - COM Security Access Permission ... 11
1 Introduction
The purpose of this document is to demonstrate the new network protection changes to be included in Windows XP Service Pack 2 and as a result of these changes, the
modifications made to the Latitude NVMS software.
1.1 Network Changes in Windows XP Service Pack 2
The network changes will directly affect Latitude NVMS’s functionality. The three main changes are the DCOM Security, RPC Interface Restriction and the Windows Firewall.
1.1.1 DCOM Security
COM (Component Object Model) will now provide computer wide access controls that will oversee access to all call, activation, or launch requests on the computer. There will be an Access Control List for launch permissions to cover activate and launch rights, and an Access Control List for access permissions to cover all call rights. The Access Control List can be configured through the Component Services Microsoft Management Console. The following table provides the default restriction settings for Windows XP SP2:
Permission Administrator Everyone (Users on the same Domain)
Anonymous (All users)
Launch Local (Launch)
Local Activate Remote (Launch) Remote Activate
Local (Launch) Local Activate
Access Local (Call)
Remote (Call)
Local (Call) Table 1 - Default Restrictions Settings
The default restrictions settings for COM server can be modified. However, the
application-specific launch permission Access Control List needs to give the appropriate users activation rights so application and Windows components that use DCOM do not fail.
1.1.2 Windows Firewall
Windows Firewall in Service Pack 2 is turned on by default.
Figure 1 - Windows Firewall General Tab
If you run a program such as Latitude NVMS that needs to receive information from the internet or a network, a window comes up asking if you want to block or unblock the connection.
If you chose to unblock the connection, Windows Firewall creates an exception and will no longer ask you about this program again.
Windows Firewall has three modes: On, On with no exceptions and Off.
• On is the default mode, in this mode the firewall blocks all requests to connect to your computer, except for requests to programs selected in the Exceptions tab. • On with no exceptions, the firewall blocks all requests to connect to your
computer including requests to programs selected in the Exceptions tab. • The last mode, off; turns off the firewall completely.
To change the Firewall settings:
1. Click Start and then Control Panel 2. Click Windows Security Center 3. Click Windows Firewall
Figure 3 - Windows Security Center Or:
1. Click on start and then Run 2. Type in Firewall.cpl and click OK
2 Effect of Windows Service Pack 2 on Latitude NVMS
The new default DCOM Security implemented in Windows Service Pack 2 cannot be changed. Hence, DVTel had to modify its Latitude NVMS software accordingly. Latitude NVMS version 3.0 Service Release 2 will be compatible with Windows XP Service Release 2.We decided to add an additional user account to the Windows operating system. The new user, OmnicastRPCUser will be added automatically through our server install shield on the Directory server. This will enable Latitude NVMS to connect remotely through DCOM.
Note: Do not modify the OmnicastRPCUser. If you do, you will not be able to login into
Latitude NVMS through the Local Area Network, since the new DCOM security will prevent all DCOM function calls.
Figure 5 - DCOM function call failed
3 Required Modification
The following modifications are required in order to use Latitude NVMS. The Firewall and Access Control List modifications should be preformed on all Clients and Servers (including the Main Directory). The last modification, COM Security should only be applied on the Directory.
3.1 Firewall
3.1.1 Client
It is not necessary to disable the Windows Firewall for the Client PC. When trying to use any of the Latitude NVMS application for the first time, a pop up windows from the Windows Security center (as explained in section 1.1.2, Figure 2) will come up asking to block or unblock the program’s connection to the internet. Simply click on unblock, and the program should be able to establish a connection through the firewall.
3.1.2 Server
On the server, the Windows firewall has to be disabled whether the connection is LAN or IVS:
1. To do this open the Windows Firewall as described in section 1.1.2 2. Select Off under the General Tab
3.2 Access Control List
The Access Control List has to be modified so that all Servers and Clients can connect to the Main Directory (DCOM server). To modify the ACL do the following:
1. Click on Start and then on Control Panel 2. Open up the Administrative Tools
3. Open the Local Security Policy
4. Under the Security Settings, open the Local Policies and select Security Options (as shown below).
Figure 6 - Local Security Settings
Figure 7 - Two new DCOM policies
6. Right click on DCOM: Machine Access Restriction and select Properties. The following window will appear:
Figure 8 - DCOM: Machine Access Restrictions 7. Click on Edit Security
Figure 9 - Access Permissions 9. Click OK (twice).
10. Right Click on the DCOM: Machine Launch Restrictions and select properties.
Figure 10 - DCOM: Machine Launch Restrictions 11. Click on Edit Security.
Figure 11 - Launch Permissions 13. Click OK (twice)
3.3 COM Security
This last modification should be done only on the Main Directory Server, which represents the DCOM server where other Clients and Servers connect to.
1. Click on Start and then on Control Panel 2. Open up the Administrative Tools
3. Open the Component Services
4. Under the Component Services, open Computer. You should be able to see My Computer.
Figure 12 - Component Services
5. Right click on My Computer and select Properties. 6. Go to the COM Security tab.
7. Click on Edit Default under Access Permissions.
Figure 14 - COM Security Access Permission
8. Add the Administrators group from the local machine and give it Local and Remote access.
9. Click OK
10. Click on Edit Default under the Launch and Activation Permissions.
11. Add the Administrators group from the local machine and give it Local Launch, Remote Launch, Local Activation and Remote Activation permissions.
12. Click OK.