[Samba] MS-RPC, LSARPC and Named Pipes end points

Denis Cardon dcardon at tranquil.it
Wed Dec 20 15:57:05 UTC 2017


Hi everyone,

I get more and more questions from security minded clients about MS-RPC 
and the dynamic RPC port range. The default range is quite wide, and 
while it can be configured and reduced through the "rpc server dynamic 
port  range" parameter since 4.7.0, it still get 
network/firewall/security people nervous.

Digging further into that subject, after some more reading and 
tcpdump'ing, I started to do some test blocking the dynamic range for a 
few workstations, and I didn't had the users yelling back at me. On the 
other hand some administrative tasks like AD replication, remote server 
management in compmgmt.msc do really need those ports accessible. But 
for a standard use of workstation, I didn't get any issues so far (for 
our internal use case).

I was also wondering what are the common points and the differences 
between LSARPC, RPC over SMB, and MS-RPC/DCE-RPC:

* is MS-RPC the default standard for RPC transport (port 135 + dynamic 
range)

* is RPC over SMB / named pipes considered legacy (port 445 and 139 if 
netbios enabled)

* is there some application that choose LSARPC, SMBRPC or MS-RPC by default

* is it interchangeable, that is to say, are all MS-RPC endpoint also 
callable through SMBRPC / named pipes and the other way around?

* is it possible to have fallback on SMBRPC (named pipes) if MS-RPC is 
not available

Documentation on Microsoft RPC is not the easiest to navigate through, 
so bear with me if my questions are too basic.

My first aim would be able to avoid the need for such a big range from 
the server vlan to the other desktops vlan. The second need would be to 
restrict the replication partners for DRS through firewalling.

Cheers,

Denis
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr




More information about the samba mailing list