OPC and DCOM Security
Classic OPC DA is based on Microsoft Component Object Model (COM) technology while remote connectivity is achieved using Distributed COM (DCOM).
DCOM security is used to define which users have access and launching permissions in DCOM applications on either the local computer or on computers belonging to the local network and domain.
- In a domain, any user account on any machine in the domain can be authorized.
- In workgroups, each user on each computer must be added. To enable both computers to properly recognize user accounts, it is necessary to ensure that user accounts are recognized on both the OPC client and server computers. This includes all the user accounts that will require OPC access.
A user account is a collection of information that tells Windows what files and folders can be accessed, what changes can be made to the computer and also the user's personal preferences. Each person accesses their user account with a user name and password.
There are three types of accounts. Each type gives users a different level of control over the computer:
- Standard accounts are for everyday computing
- Administrator accounts provide the most control over a computer and should only be used when necessary
- Guest accounts are intended primarily for people who need temporary use of a computer
The standard account helps to protect the computer by preventing users from making changes that affect everyone who uses the computer. It is recommended to create a standard account for each user.
It is necessary to ensure that both computers have access to the same user name and password combinations. User names and passwords must match on all the computers that require OPC access.
- When using Windows workgroups, each computer must have a complete list of all user accounts and passwords (in Set up Mutual User Account Recognition, see Add a Local User).
- When using a single Windows domain, user accounts are properly synchronized by the domain controller (in Set up Mutual User Account Recognition, see Add a Domain User).
- When using multiple Windows domains, you must either establish a trust between domains, or create a local user account for each affected computer.
- For instructions to have DCOM working properly and securely, see Establishing Reliable and Secure DCOM Communication.
- For instructions on hardening changes in DCOM server, see OPC Classic - Microsoft DCOM Hardening Changes.
- To resolve common DCOM errors and problems, see DCOM Errors and Troubleshooting.