Marc posted on August 18, 2008 02:15

What particularly annoys me with some so-called “security engineer” is their lack understanding of (or outdated?) protocol s in general and of Microsoft technologies in particular.
At hearing the words “Microsoft”, “Windows” and “RPC”, they directly react with “insecure”, “anonymous”, “not authorized”…

RPC is wild over (high) ports and you cannot control it
False: by default, RPC uses port 135 as end-point mapper then agrees with the other host it communicates with to use higher ports as necessary. The high port negotiation can be agreed and be restricted to a range of ports or to a single port. If you don’t want to configure RPC behavior on hosts, you can also encapsulate the traffic into IPSec, which is a no-brainer in windows. Here is how to do for both cases: http://support.microsoft.com/kb/908472

RPC cannot be firewalled
Totally untrue, most of recent (and decent) firewall will do the job. Just for the records, I can mention Checkpoint, Whose SmartDefense technology included RPC firewalling since 2003. These MS KB articles with help you further: http://support.microsoft.com/kb/154596 and http://support.microsoft.com/kb/179442

RPC is anonymous by default
Forget about the Windows NT4 era, this is all history! In some very specific cases you may still see anonymous RPC (or CIFS/SMB) call on the network but most of times, it is fully authenticated. Not to mention that when using DCOM over RPC, you can set the authentication mode you wish with a lot of granularity. Look at this TechNet contents for in-depth explanation: http://technet.microsoft.com/en-us/library/cc781010.aspx and  http://technet.microsoft.com/en-us/library/cc738214.aspx. By the way, bear in mind that people making such incorrect claims also seem not to know that even in HTTP protocol, the first request is anonymous…

RPC over HTTP is only valid for Outlook and Exchange
What? Hem, you mean “is up to my knowledge only implemented with Outlook and Exchange”. But nothing prevents you from implementing your own solution based on this technology. Take a look at MSDN for details: http://msdn.microsoft.com/en-us/library/aa375384(VS.85).aspx.
By the way, unlike many people like to think, the FrontPage RPC protocol has nothing to do with standard DCE RPC we’re talking about here. FPRPC is an extension of HTTP that eases web site authoring as well as collaboration work over HTTP. It should be considered as a kind of WebDAV on steroids.

And cut!
Thanks to J.G. for inspiring me this post! I really appreciate talking with people able to scratch the surface and look underneath.


Posted in: Security , Windows  Tags:
Comments are closed
Disclaimer
The information of this site is provided "AS IS" with no warranties, and confers no rights. This site does not represent the thoughts, intentions, plans or strategies of our employers, customers, friends or family. It is solely our own personal opinions. All code samples, scripts or configuration files are provided "AS IS" without warranty of any kind.

Limite de respnsabilité
Le contenu de ce site est délivré "TEL QUEL" et ne confère aucun droit ni garantie. Ce site ne reflète en aucun cas les pensées, intentions, projets ou stratégies de nos employeurs, clients, amis ou membre de nos familles. Il est uniquement l’expression de nos opinions personnelles. Les échantillons de codes, scripts ou fichiers de configuration sont fournis "TEL QUEL", sans la moindre garantie d’aucune sorte.