If you are installing the ArchiveOne Service on Windows 2003 with Service Pack 1 or later, and you are planning on allowing ArchiveOne Admin to be run by users who are not administrators, that is, users that are not members of the Local Administrators group on the server running the ArchiveOne Service, the configuration of Windows needs adjusting to allow these applications to connect to the ArchiveOne Service. This is due to security enhancements to Windows 2003 SP1 which restricts inbound COM connections; this restriction must be lifted. You can either remove any limitation on inbound COM connections, or limit it to a known group of users, those who are going to use ArchiveOne Admin console.
Note that COM security operates at two levels – the machine configuration and the service configuration. In order for a user to successfully use an application that connects to a service on another machine, they need rights both to connect to the machine and to connect to the service – for non-administrative users, both these rights are denied.
The following process removes the restriction on who can connect into the machine, but they are still prevented from using most services as most services are configured to deny connection by default. This is desirable as it prevents rogue users from connecting to services they should not be connecting to, and then attempting buffer overrun or denial of service attacks.
Additionally, if the Distributed COM (DCOM) service is turned off, there is no external access to the Archive server through the Quick Link component in the event that the primary mechanism using HTTP/HTTPS fails.
There are two groups of changes that may be required to the security configuration:
- DCOM security, which can be changed either by choosing the option on the ArchiveOne installer during setup, or manually editing the configuration.
- During installation you are prompted to choose whether to allow the ArchiveOneUsers group, Everyone or no one access to the Archive server through DCOM. All members of the Domain Admins group already have access to the server through DCOM, so you should use the ArchiveOneUsers group option if you intend to authorize users to use ArchiveOne Admin who are not members of Domain Admins. Allowing Everyone DCOM permissions allows the Quick Link Client component to use DCOM as a fall back method should connection via HTTPS/HTTP fail during a retrieval attempt.
- If Windows Firewall is enabled, you must ensure DCOM traffic is allowed.
Change the Configuration
You can change this configuration at any time using the following Windows process:
- On the Archive server, run Control Panel.
- Select Administrative Tools > Component Services.
- Expand Component Services, expand Computers, right-click My Computer, and click Properties.
- Select COM Security, and click Edit Limits in the Launch and Activation Permissions box.
- To allow a selected list of users to connect to the machine to use any COM service that allows a connection, including the ArchiveOne Service, click Add, choose the users, and click OK.
- Select the users from the list, and select both Remote Launch and Remote Activation in the Allow column.
If you have the Windows Firewall enabled on the Archive server, you should also ensure that DCOM connections are permitted: How to Configure Windows Firewall to Allow DCOM Connections. If you are using any other third party firewall product to secure the Archive server, you should ensure this permits connections on TCP ports 1024-65535 (the dynamic range of ports used for DCOM connections).