The OpcSecurityAnalyzer application is designed to help with security permission settings related to OPC DA server access in order to:
- Find why the access to an OPC DA server is denied
- Check if the the server access is denied for all but the valid users
Local and Remote OPC servers can be browsed and accessed. The User definitions and some other settings can quickly be changed to determine if the access is correctly allowed or denied.
Server access may be denied due to Firewall settings. The OpcSecurityAnalyzer shows the Firewall settings and helps quickly make the proper settings.
If access is unexpectically denied then a number of tests can be executed and the displayed findings should help to locate the cause for the denial.
The above screen shot shows the log of a remote server access. The first Connect failed because OpcEnum.exe was not enabled in the Firewall.
Another remote machine could be browsed but the selected server could not be connected. The diagnostics shows an inconsistency in the server registration and indicates that a server file may not be there or not be accessible to the launching user. Due to access restrictions the analyzer could not check the exe file directory.
A further connect to another server was successful.
The DCOM configuration settings are shown for the selected server and user.
The DCOM settings are also displayed for all groups the user is member of. This is because DCOM settings can be made for users or groups.
The machine default settings are also displayed to help the user determine the actual permissions in case there are no settings for the user.
Access could be denied because a denied setting in one group could override an allowed setting in another group.
The DCOM default settings are shown for all users and groups.
Some of the settings are not available in the DCOMCNFG utility and need to be modified in the HKLM\Software\Microsoft\Ole Registry key.
The Applications table lists all applications that have ab APPID definition.
Motivation to create the OpcSecurityAnalyzer Tool:
Advosol sells OPC server and client components for many years and observed that most support cases are related to security settings issues. This is increasingly so because:
- applications use access to OPC servers on networked computers
- Windows default settings increasingly restrict the access to reduce vulnerabilities
Windows security is of daunting complexity with settings on multiple levels, DCOM, Firewall, Windows and .NET. It is often hard to determine on what level an access is denied and even harder to find what unwanted access is allowed.
This tool hopefully helps in this process.
Please report any encountered difficulties and suggestions for improvements to firstname.lastname@example.org