Preventing Connections to a Server or Datasource Using Deny Lists
You can configure deny lists if you need to:
- specify the computer(s) that a server or datasource will NOT accept connections from
- specify the computer(s) that a server's datasources or a specific datasource will NOT be published to
- specify the ProjectWise Explorer version(s) that a server or datasource will NOT accept connections from
- specify the ProjectWise Administrator version(s) that a server or datasource will NOT accept connections from
You can configure these deny lists by directly editing the DMSKRNL.CFG file, or using the Security tab of the Server Properties or Datasource Properties dialogs, which adds the information to the DMSKRNL.CFG file.
When specifying computers to deny, you can enter the IP address or host name of specific computers, or you can enter a range of IP addresses. If you need to allow a computer that falls in the denied IP range, you can add the host name or IP address of that computer to the allow list. If a computer is not in the deny list, or if a computer is in both the deny list and the allow list, then that computer will be allowed.
When specifying versions to deny, either you can add the versions you want to allow to the allow list and leave the deny list blank, so that any version not listed in the allow list will be denied, or you can add the versions you want to deny to the deny list and leave the allow list blank, so that only the versions listed in the deny list will be denied. You can enter a specific version (for example, 10.00.03.298), multiple specific versions each separated by a comma, or you can enter a range of versions. If a version is in both the deny list and the allow list, the version will be denied.
Specify the computers that a server or datasource will NOT accept connections from
- Open the Properties dialog for the server or datasource you need to configure the deny list for.
- Select the Security tab.
- Set Select security type to Connections (Server Properties) or Client connections (Datasource Properties).
- In the
Deny field, enter the IP address or host name
of the computer to deny, or enter a range of IP addresses, then click
Add.
For example:
193.25.*.*,10.*.*.*
- (Optional) In the
Allow field, enter the IP address or host name
of a computer in the denied IP range that you want to allow, then click
Add.
For example:
193.25.4.*
- Click OK.
The client connection deny list for a server is added to the [Authentication] section of the DMSKRNL.CFG file:
; ------------------------------------------------------------ ; Section defines global authentication settings ; ------------------------------------------------------------ [Authentication] Deny=193.25.*.*,10.*.*.* Allow=193.25.4.*
The client connection deny list for a datasource is appended to the datasource-specific settings section in the DMSKRNL.CFG file:
[db0] Type=Microsoft SQL Server DBUserName=pwtest DBUsrPwdDecrypt=5 DBUserPassword=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh... Description=pwtest DisplayName=pwtest InterfaceType=ODBC Name=pwtest DBCryptKeyDecrypt=5 DBCryptKey=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh+w90... DMS=1 SSO=1 STS=1 Deny=193.25.*.*,10.*.*.* Allow=193.25.4.*
Specify the computers that a server's datasources or a specific datasource will NOT be published to
- Open the Properties dialog for the server or datasource you need to configure the do not publish to list for.
- Select the Security tab.
- Set Select security type to Datasource list publishing.
- In the
Do not publish to field, enter the IP address
or host name of the computer to not publish to, or enter a range of IP
addresses, then click
Add.
For example:
193.25.*.*,10.*.*.*
- (Optional) In the
Allow field, enter the IP address or host name
of the computer in the do not publish to range that you want to allow, then
click
Add.
For example:
193.25.4.*
- Click OK.
The do not publish to list for a server is added to the [Authentication] section of the DMSKRNL.CFG file:
; ------------------------------------------------------------ ; Section defines global authentication settings ; ------------------------------------------------------------ [Authentication] DsListDeny=193.25.*.*,10.*.*.* DsListAllow=193.25.4.*
The do not publish to list for a datasource is appended to the datasource-specific settings section in the DMSKRNL.CFG file:
[db0] Type=Microsoft SQL Server DBUserName=pwtest DBUsrPwdDecrypt=5 DBUserPassword=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh... Description=pwtest DisplayName=pwtest InterfaceType=ODBC Name=pwtest DBCryptKeyDecrypt=5 DBCryptKey=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh+w90... DMS=1 SSO=1 STS=1 DsListDeny=193.25.*.*,10.*.*.* DsListAllow=193.25.4.*
Specify the ProjectWise Explorer versions that a server or datasource will NOT accept logins from
- Open the Properties dialog for the server or datasource you need to configure the client version deny list for.
- Select the Security tab.
- Set Select security type to Client versions login.
- Specify the versions you
want to allow, or specify the versions you want to deny.
Option A:
- Enter the versions you want to allow in the Allow list, and leave the Deny list blank. In this case, any version that is not specified will be denied.
Option B:
- Click OK.
The client version deny list for a server is added to the [Authentication] section of the DMSKRNL.CFG file:
; ------------------------------------------------------------ ; Section defines global authentication settings ; ------------------------------------------------------------ [Authentication] AllowClientLoginVersions= DenyClientLoginVersions=10.00.03.298
The client version deny list for a datasource is appended to the datasource-specific settings section in the DMSKRNL.CFG file:
[db0] Type=Microsoft SQL Server DBUserName=pwtest DBUsrPwdDecrypt=5 DBUserPassword=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh... Description=pwtest DisplayName=pwtest InterfaceType=ODBC Name=pwtest DBCryptKeyDecrypt=5 DBCryptKey=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh+w90... DMS=1 SSO=1 STS=1 AllowClientLoginVersions= DenyClientLoginVersions=10.00.03.298
Specify the ProjectWise Administrator versions that a server or datasource will NOT accept logins from
- Open the Server Properties dialog and select the Security tab.
- Set Select security type to Client versions admin login.
- Specify the versions you
want to allow, or specify the versions you want to deny.
Option A:
- Enter the versions you want to allow in the Allow list, and leave the Deny list blank. In this case, any version that is not specified will be denied.
Option B:
- Click OK.
The admin version deny list for a server is added to the [Authentication] section of the DMSKRNL.CFG file:
; ------------------------------------------------------------ ; Section defines global authentication settings ; ------------------------------------------------------------ [Authentication] AllowClientAdminLoginVersions= DenyClientAdminLoginVersions=10.00.03.298
The admin version deny list for a datasource is appended to the datasource-specific settings section in the DMSKRNL.CFG file:
[db0]
Type=Microsoft SQL Server
DBUserName=pwtest
DBUsrPwdDecrypt=5
DBUserPassword=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh...
Description=pwtest
DisplayName=pwtest
InterfaceType=ODBC
Name=pwtest
DBCryptKeyDecrypt=5
DBCryptKey=AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADiFdjh+w90...
DMS=1
SSO=1
STS=1
AllowClientAdminLoginVersions=
DenyClientAdminLoginVersions=10.00.03.298