[Samba] MS-RPC, LSARPC and Named Pipes end points
Denis Cardon
dcardon at tranquil.it
Wed Dec 20 15:57:05 UTC 2017
Hi everyone,
I get more and more questions from security minded clients about MS-RPC
and the dynamic RPC port range. The default range is quite wide, and
while it can be configured and reduced through the "rpc server dynamic
port range" parameter since 4.7.0, it still get
network/firewall/security people nervous.
Digging further into that subject, after some more reading and
tcpdump'ing, I started to do some test blocking the dynamic range for a
few workstations, and I didn't had the users yelling back at me. On the
other hand some administrative tasks like AD replication, remote server
management in compmgmt.msc do really need those ports accessible. But
for a standard use of workstation, I didn't get any issues so far (for
our internal use case).
I was also wondering what are the common points and the differences
between LSARPC, RPC over SMB, and MS-RPC/DCE-RPC:
* is MS-RPC the default standard for RPC transport (port 135 + dynamic
range)
* is RPC over SMB / named pipes considered legacy (port 445 and 139 if
netbios enabled)
* is there some application that choose LSARPC, SMBRPC or MS-RPC by default
* is it interchangeable, that is to say, are all MS-RPC endpoint also
callable through SMBRPC / named pipes and the other way around?
* is it possible to have fallback on SMBRPC (named pipes) if MS-RPC is
not available
Documentation on Microsoft RPC is not the easiest to navigate through,
so bear with me if my questions are too basic.
My first aim would be able to avoid the need for such a big range from
the server vlan to the other desktops vlan. The second need would be to
restrict the replication partners for DRS through firewalling.
Cheers,
Denis
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list