Securing an OPC Classic Server

Security for OPC servers is provided by the Microsoft Windows™ DCOM security tools. For a comprehensive discussion of how to secure an OPC server, refer to the OPC Foundation's website: http://www.opcfoundation.org

Additionally, the Software Toolbox® (not affiliated with Trihedral Engineering Ltd.) provides very good reference information and tutorials for DCOM security configuration. These materials can be found at:

https://www.softwaretoolbox.com/dcom/html/dcom_for_windows_7-_8-_-_server_2008.html

In general terms, the following steps are required to secure the server: 

  1. Run the program, DCOMCNFG.exe on the workstation to which users will be connecting.
  1. Find the entry "Trihedral VTScada OPC Server" as shown in the following image:

  1. Right-click on the Trihedral VTScada OPC Server entry and select Properties. The following dialog should open (shown with the Security tab selected):

Use this to select the groups and users who will have permissions for each of the three categories.

It is very important to deny Launch and Activation privileges to all users. If a client application attempts to launch VTScada, it will do so from its own directory, not the application folder. This will not work.

Notes for Windows Workgroups

If your computers are networked in a workgroup, additional security settings may be required.

The default installation forces remote users to authenticate as Guest. This means that DCOM clients cannot connect to a server unless the Guest account is enabled and has enough rights to launch the server.

Adjust these settings from the Control Panel:

  1. Open the Control Panel.
  2. Click to open Administrative Tools.
  3. Open the Local Security Policy dialog.
  4. Click, "Local Policies".
  5. Click, "Security Options".
  6. Click, "Network access: Sharing and Security model for local accounts".
    Change this setting to the following:
    "Classic - users authenticate as themselves".