Network Service (if running the IIS Default App Pool under this identity above I recommend changing

g it to Local System) The reason for setting all of these file permissions is that these accounts read/write/and delete files from the FileTransfer folder as part of how the HFM Web application works.

Under Local Users and Groups (execute lusrmgr.msc from the run prompt) Assign the user GOLDBAR\hypadmin to the Distributed COM Users group. This needs to be set explicitly even though GOLDBAR\hypadmin is in the Local Administrators group and I noticed that this was not setup on the servers. Verify that the GOLDBAR\hypadmin account is in the Local Administrators group on each server.

Under Local Policy (execute secpol.msc from the run prompt) Assign the user GOLDBAR\hypadmin the following rights: 1. 2. 3. 4. Act as Part of Operating System Bypass Traverse Checking Log on as Batch Job Allow Logon Locally

Only a subset of these rights are currently assigned on the servers and all four of these should be set on each of the servers listed above.
1. DCOM Security Considerations verify the following:

45

Under DCOM Configuration (execute dcomcnfg from the run prompt) Under Component Services > My Computer, right-click on > Properties On the tab Default Properties: 1. Verify Enable Distributed COM on this computer is checked 2. Default Authentication level should be None 3. Default Impersonation Level should be Identify

On the tab COM Security

46

Under Access Permissions 1. Click on Edit Limits

Verify that the users Everyone, Anonymous Logon, Interactive, and System have been added and given Allow for Local and Remote Access. There may be a lot of other users/groups already listed here as well. 2. Repeat the process for Edit Default

Verify that the users Everyone, Anonymous Logon, Interactive, and System have been added and given Allow for Local and Remote Access. There may be a lot of other users/groups already listed here as well.

47

Under Launch and Activation Permissions 1. Click on Edit Limits

Verify that the users Everyone, Anonymous Logon, Interactive, and System have been added and given Allow for Local and Remote Access. There may be a lot of other users/groups already listed here as well. 2. Repeat the process for Edit Default

Verify that the users Everyone, Anonymous Logon, Interactive, and System have been added and given Allow for

48

Local and Remote Access. There may be a lot of other users/groups already listed here as well.
2. DCOM Application Considerations verify the following:

Under DCOM Configuration (execute dcomcnfg from the run prompt) Under Component Services > My Computer > DCOM Config For each of the DCOM applications (Note not all of these applications are on each server) do the following: HsvDataSource HsxServer HfmServer HfmService Right-click on the DCOM application and select properties.

49

1. 2. 3. 4.

Select the Identity Tab: Select This User Input the DCOM user GOLDBAR\hypadmin Click on apply

Next, select Security

50

Add the users Everyone, Anonymous Logon, Interactive, and System to Launch and Activation Permissions and give them the following rights:

Add the users Everyone, Anonymous Logon, Interactive, and System to Access Permissions and give them the following rights:

Add the users Everyone, Anonymous Logon, Interactive, and System to Configuration Permissions and give them the following rights (except for special they dont need it and probably cannot select it anyway):

51