Disabling RPC
Results 1 to 10 of 10

Thread: Disabling RPC

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    64

    Disabling RPC

    I was doing some reasearch and trying to understand why not disable RPC. Can someone explain to me or point to a link. So i can understand hwo to secure RPC(disabling, firewall blocking port 593 i think) I know that i need to keep up with patches and all that. Some of articles on the net said no to disable it cause your system wont run in a stable manner after that, why?. Any help would be appreciated.

    Thanks

  2. #2
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Are there any workarounds that can be used to help block exploitation of this vulnerability while I am testing or evaluating the patch?

    Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim. There is no guarantee that the workarounds will block all possible attack vectors.
    It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.

    Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.

    These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall ,will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also be sure and block any other specifically configured RPC port on the remote machine.
    If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and 443 on XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected systems.
    More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.
    For information regarding RPC over HTTP, see http://msdn.microsoft.com/library/de..._security.asp.
    From here: http://www.microsoft.com/technet/sec.../MS03-026.mspx
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    64
    Thanks alot for the links jinxy, I was checking the dependencies of RPC and here is a list. Does this mean if you disable RPC all these wont work at all or they wont work properly with all thier features?

    Background Intelligent Transfer Service
    COM+ Event System
    COM+ System Application
    Cryptographic Services
    Distributed Link Tracking Client
    Distributed Transaction Coordinator
    Error Reporting Service
    Help and Support
    Human Interface Device Access
    Indexing Service
    Logical Disk Manager
    Logical Disk Manager Administrative Service
    McAfee Framework Service
    Messenger
    MS Software Shadow Copy Provider
    Network Connections
    Network Provisioning Service
    Print Spooler
    Proteced Storage
    QoS RSVP
    Remote Desktop Help session
    Remote Registery
    Removable Storage
    Routing and Remote Access
    Security Accounts Manager
    Security Center
    Shell Hardware Detection
    System Restore Service
    Task Scheduler
    Telephony (this is Voice over IP VoIP)
    Telnet
    Terminal Services
    Volume Shadow Copy
    Windows Audio
    Windows Image Acquistion
    Windows Installer
    Windows Management Instrumentation
    Wireless Zero Configuration
    WMI Performance Adapter

    Thanks again...

  4. #4
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Windows has too have RPC too run properly. If you don't want that running, then use something else. In Linux, NFS is one of the only things that use RPC.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I do not no the definative answere to that, however i would guess that some would just not work properly and others would not work at all. I also think it would effect overall system stability. Hence microsoft not recommending it be disabled.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Member
    Join Date
    Nov 2003
    Posts
    64
    Thanks gore for the advice. But iam running windows and linux slackware on my machine. Im just trying to rap my fingers around things....

    Thanks all for the help

  7. #7
    Banned
    Join Date
    Nov 2003
    Posts
    1,161

    Re: Disabling RPC

    Originally posted here by coderecycle
    I was doing some reasearch and trying to understand why not disable RPC. Can someone explain to me or point to a link. So i can understand hwo to secure RPC(disabling, firewall blocking port 593 i think) I know that i need to keep up with patches and all that. Some of articles on the net said no to disable it cause your system wont run in a stable manner after that, why?. Any help would be appreciated.

    Thanks
    Yeah, that one is required but you can kill the (RPC) locator.
    I've been comfortably down to 12 processes. I'm also comfortable without patches.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LPDSVC]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFtpsvc]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQ]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQTriggers]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardDrv]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpTcp]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uploadmgr]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSp]
    "Start"=dword:00000002
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
    "Start"=dword:00000003
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
    "Start"=dword:00000004

    Made at www.BLKviper.com This guy is a service tweaking freak.

  8. #8
    Member
    Join Date
    Nov 2003
    Posts
    64
    If anyone is interested in finding more about RPC, here are a few links i found

    http://www.opengroup.org/onlinepubs/9629399/toc.htm
    http://www.kcl.ac.uk/kis/support/cit...an/procsn.html
    http://support.microsoft.com/default...b;en-us;826382
    http://msdn.microsoft.com/library/de...components.asp
    http://www2.cs.uregina.ca/~hamilton/courses/430/notes/
    http://www.sei.cmu.edu/str/descriptions/rpc.html
    http://www.yonezaki.cs.titech.ac.jp/...des/Shinjo.pdf

    The best way to secure RPC is to patch your system against known vul on windows and try and disable service that you might not need(like disabling DCOM support in RPC over HTTP as mentioned in the third link). Having a firewall ofcourse. As for linux i read that is the best way to block access to your RPC services is to use a firewall - iptables/ipchains and block all the ports that are not needed.

    I would really appreciate any input on the best ways to secure and learn more about securing RPC since alot of the attacks exploite RPC

    http://www.infosyssec.com/cgi-bin/fl...yssec/bor2.htm

    Thanks again

  9. #9
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    If you disable RPC on Windows, pretty much nothing works. So, it's not a good idea. And yes, all those services that you listed will fail to start if RPC is disabled.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  10. #10
    Junior Member
    Join Date
    Apr 2004
    Posts
    18
    In the following discussion: http://www.antionline.com/showthread...light=port+135
    jinxy provides a snippet from Reg Review of a list of ports/services that ought to be disabled.

    After reading the forum and receiving guidance from a great deal of sources regarding disabling unnecessary services, then checking the results through running netstat -ano (I'm running Win XP) from the command line I manged to clear a great many services and close a few ports.

    For some unknown reason, port 135 re-appeared due to process svchost.exe. Performing an advanced search on the AP forums using 'port 135' as a search term, I came across the link above. Disabling the services as suggested by Reg Review, I then rebooted, opened up a command prompt and ran netstat -ano. To my surprise, there were no services at all running. Nothing. Zilch. Nada. I also noticed that ZA had failed to load in my system tray. I fired up Firefox to find that the server couldn't be found ..

    Roh ro! Oh kay .. time to figure out what service I had disabled. At first I thought it was the Remote Access Control Manager -- enabled, tried to start but wouldn't start due to an RPC dependency. Hmmm .. Rebooted. Same problem. No services running, no ZA and no connection. Using a reductive approach, I figured I would turn each disabled service on, then reboot and see if my connection would be restored. Well, I jump-started the reductive process by only examining the disabled services (Start/Run/services.msc) that had affected network connections. I noticed that DHCP Client had been disabled (as per Reg Review) so I set it to Automatic, then re-started it.

    Bingo! Connectivity once more!

    Hopefully, this has resolved my connectivity problems, but just a warning for users in case they experience a lack of connectivity.

    Regards,
    Riotgirl
    \"Don\'t worry. I don\'t have low self-esteem. It\'s a mistake. I have low esteem for everyone else\".



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •