Friday, December 3, 2010

Minimum Required Services of OPC

In order to make Windows hosts more secure, it is critical that all unnecessary services be disabled. The following are the minimum set of Windows 2000, Windows server 2003 and Windows XP services that are typically required a stand alone OPC servers (OLE For Process Control servers) and clients based on lab testing. The name in brackets following the service name is the recommended start up type:
• Com+ System Application (Automatic, required by XP).
• COM+ Event system (Automatic).
• Event Log (Automatic).
• DNS Client (Automatic).
• NTLM Security Support Provider (Automatic).
• Plug and Play (Automatic).
• IPSEC Services (Automatic).
• Net Logon (Manual).
• RPC (Remote Procedure Call) (Automatic).
• Protected storage (Automatic).
• Security center (Automatic) (required by XP).
• Security Accounts Manager (Automatic).
• Server (Automatic).

Some OPC applications require additional services to be enabled to remain functional. For instance, if the OPC application does not use the OPCEnum component the following services are also required:
• Remote Registry (Automatic).
• Computer Browser (Automatic).
Printer sharing and file should be disabled while not strictly a service. This is done via the network connections panel.

Since deployments of OPC can vary widely, it is essential that the effects of disabling any service be tested on a non-critical offline system before being deployed in a live control system.

The day to day operation of OPC based application does not require a highly privileged account in most control environments. On the other hand, the configuration of the OPC applications often does. However in many systems we see the highly privileged account setting being the norm, exposing the system to numerous security issues.

To overcome the issues configure these accounts as follows:
• Create an account (opcuser) and set it to be a low privilege account.
• Create an account (opcadmin) and set it to be a high privilege account.
• Finally the Guest account should be disabled and robust password (a mix of letters, number, and special characters and not found in a dictionary).


Newer Post Older Post Home

You may also like these ebook:

Get Free PLC eBook directly sent to your email,
and email subscription to

We hate SPAM. Your information is never sold or shared with anyone.

Your Email Will Be 100% Secured !