Interested in linking to "Securing Your OPC Classic Control System"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
Once these accounts are in place, we can move to the DCOM Configuration Tool that is found under Control Panel/Administrative Tools/Component Services as shown in Figure 3. Once the Component Services application is running, open up "Component Services" tab. Within it, click on "Computers" and then "My Computer".
At this point you have two options – you can either configure the default DCOM permissions for all DCOM applications or just the permissions for a specific OPC server application. Right clicking on "My Computer" in the "Component Services" screen and choosing "Properties" from the menu will let you set the defaults.
On the other hand, if you want to set the permissions for a specific OPC application click on "DCOM Config" to get the screen shown in Figure 3. This list will include all the applications on this server that can use DCOM. On the plant floor you are likely to find the OPC servers you are using, but you may have to dig around for them. For the rest of this section we will assume that you are setting the permissions for a specific OPC application.
Controlling the Authentication Level
The first change to make is to the Authentication Level of the OPC server as shown in Figure 4. These Authentication levels determine what authentication is needed for an OPC client to connect, and are defined as follows:
• Default - May vary depending upon operating system and obviously the default "My Computer" Property settings. Usually it is "None" or "Connect."
• None - No authentication.
• Connect - Authentication occurs when a connection is made to the server.
• Call - The authentication occurs when a RPC call is accepted by the server.
• Packet - Authenticates the data on a per-packet basis. All data is authenticated.
• Packet Integrity - This authenticates the data that has come from the client, and checks that the data has not been modified.
• Packet Privacy - In addition to the checks made by the other authentication methods, this authentication level causes the data to be encrypted.
Select the OPC server you are configuring and in the General Tab, and change authentication to "Connect". The "Packet Privacy" option can be used if data confidentiality is required since it encrypts all traffic and is the most secure option. However it is important to test this offline first as the encryption may impact performance. In most cases "Connect" is sufficient.
Controlling the Location
The "Location" tab lets you configure where the DCOM server can run. Here only the local computer is specified which is the typical situation in most environments as shown in Figure 5.
Managing DCOM Permissions
From here we move to the "Security" tab which allows you to configure the permissions for the different accounts. COM server applications have three types of permissions, namely Launch permissions, Access permissions and Configuration permissions. Configuration permissions control configuration changes to a DCOM server, while Launch permissions control the authorization to start a DCOM server if the server is not already running. Finally Access permissions control authorization to call a running COM server, and are the least dangerous. These permissions can be further divided into Local and Remote permissions.
These permissions control what user accounts can execute which action on an OPC server. For all three options choose Customize, then Edit and adjust the accounts as follows:
• Launch Permissions - Remove all existing entries and add the opcadmin account created earlier. (Some servers may also require launch permission for the opcuser account.) If a particular OPC server is meant only to be used locally, then remote access to that server can also be disabled.
• Access Permissions - Remove all existing entries and add the opcadmin and opcuser accounts. Again, if a particular OPC server is meant only to be used locally, then remote access to that server can also be disabled.
• Configuration Permissions - Remove all existing entries other than the Everyone account. Modify Everyone to be read-only, and add opcadmin with full control.
These settings are shown in Figure 7. As noted above, if the server is only to be used locally (i.e. the clients and servers are all on the same machine) then Remote should be turned off.
Limiting RPC Ports and Protocols
The "Endpoints" tab allows you to select what protocols and ports can be used by this server. Prior to the development of OPC-aware firewalls, this tab also could be used to limit dynamic port allocation. Unfortunately, not all vendors of OPC products respect the setting of port numbers in this tab, so it was rather problematic. Today this setting should remain at Default System Protocols.
Setting the OPC Application's Account
Finally, the "Identity" tab lets you configure what user account the DCOM application will run under. Unless specifically required by the vendor of the OPC server, the OPC software should be set to run as the "opcuser" account and not the "opcadmin" account.