Service Pack 2 for Windows XP 和 Service Pack 1 for Windows 2003 Server 对 DCOM 进行了安全性增强,特别是针对 OPC 的网络使用场景。新增的权限限制功能允许用户设置应用权限上限,并明确指定用户或组的本地和远程访问权限。
Service Pack 2 for Windows XP/ Windows 2003 Server Service Pack 1 has also made some security enhancements to DCOM; two in particular need to be taken into consideration when using OPC on a network: First, the default Launch and Access permissions dialogs have
been modified to allow the user to configure “limits” on the permissions given to applications using DCOM. Secondly, for each user now defined in the Launch and Access permissions, both local and remote access can be explicitly defined.
A brief background on default Launch and Access permissions in DCOM: Launch permissions define who can launch a COM based application (such as an OPC server) both over the network or locally. Access permissions define who can access that application once it has been launched. Applications can get their Launch and Access permissions from one of three places: they can use explicitly defined setting for their application, they can use the default permissions or they can set their own permissions programmatically(such as thorough CoInitializeSecurity,marked by me). Because an application could set its own permissions programmatically, the explicitly defined or default settings, although set properly, may not be used and therefore the user is not able to explicitly have control over these settings. To overcome this security flaw, Microsoft has added “limits” to the DCOM security settings from Launch and Access to limit the permissions that an application can use. This limit prevents the application from using permissions beyond what is specified in the DCOM configuration settings. By default the limits set by Service Pack 2 / Service Pack 1 will not allow for OPC communications over the network.
A brief background on default Launch and Access permissions in DCOM: Launch permissions define who can launch a COM based application (such as an OPC server) both over the network or locally. Access permissions define who can access that application once it has been launched. Applications can get their Launch and Access permissions from one of three places: they can use explicitly defined setting for their application, they can use the default permissions or they can set their own permissions programmatically(such as thorough CoInitializeSecurity,marked by me). Because an application could set its own permissions programmatically, the explicitly defined or default settings, although set properly, may not be used and therefore the user is not able to explicitly have control over these settings. To overcome this security flaw, Microsoft has added “limits” to the DCOM security settings from Launch and Access to limit the permissions that an application can use. This limit prevents the application from using permissions beyond what is specified in the DCOM configuration settings. By default the limits set by Service Pack 2 / Service Pack 1 will not allow for OPC communications over the network.
In addition to the new permissions limits, one must now specify if the user or group specified has permissions locally or remotely (or both). In order for OPC applications to work over the network with DCOM, the permissions must be set such that remote users can launch and/or access the OPC servers and clients on the machine.
commented by me: limits's priority take precedence over any other dcom settings including server-wide default and applicaiton-wide settings.I have done experiments which confirm my understanding.
扫一扫
2023
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
