Disabling RPC

**coderecycle** · October 19th, 2004, 04:35 PM

I was doing some reasearch and trying to understand why not disable RPC. Can someone explain to me or point to a link. So i can understand hwo to secure RPC(disabling, firewall blocking port 593 i think) I know that i need to keep up with patches and all that. Some of articles on the net said no to disable it cause your system wont run in a stable manner after that, why?. Any help would be appreciated.

Thanks

***jinxy*** · October 19th, 2004, 04:59 PM

Are there any workarounds that can be used to help block exploitation of this vulnerability while I am testing or evaluating the patch?

Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim. There is no guarantee that the workarounds will block all possible attack vectors.
It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.

• Block UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593 at your firewall and disable COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, on the affected systems.

These ports are used to initiate an RPC connection with a remote computer. Blocking them at the firewall ,will help prevent systems behind that firewall from being attacked by attempts to exploit these vulnerabilities. You should also be sure and block any other specifically configured RPC port on the remote machine.
If enabled, CIS and RPC over HTTP allow DCOM calls to operate over TCP ports 80 (and 443 on XP and Windows Server 2003). Make sure that CIS and RPC over HTTP are disabled on all the affected systems.
More information on how to disable CIS can be found in Microsoft Knowledge Base Article 825819.
For information regarding RPC over HTTP, see http://msdn.microsoft.com/library/de..._security.asp.

From here: http://www.microsoft.com/technet/sec.../MS03-026.mspx

**coderecycle** · October 19th, 2004, 05:09 PM

Thanks alot for the links jinxy, I was checking the dependencies of RPC and here is a list. Does this mean if you disable RPC all these wont work at all or they wont work properly with all thier features?

Background Intelligent Transfer Service
COM+ Event System
COM+ System Application
Cryptographic Services
Distributed Link Tracking Client
Distributed Transaction Coordinator
Error Reporting Service
Help and Support
Human Interface Device Access
Indexing Service
Logical Disk Manager
Logical Disk Manager Administrative Service
McAfee Framework Service
Messenger
MS Software Shadow Copy Provider
Network Connections
Network Provisioning Service
Print Spooler
Proteced Storage
QoS RSVP
Remote Desktop Help session
Remote Registery
Removable Storage
Routing and Remote Access
Security Accounts Manager
Security Center
Shell Hardware Detection
System Restore Service
Task Scheduler
Telephony (this is Voice over IP VoIP)
Telnet
Terminal Services
Volume Shadow Copy
Windows Audio
Windows Image Acquistion
Windows Installer
Windows Management Instrumentation
Wireless Zero Configuration
WMI Performance Adapter

Thanks again...

**gore** · October 19th, 2004, 05:18 PM

Windows has too have RPC too run properly. If you don't want that running, then use something else. In Linux, NFS is one of the only things that use RPC.

***jinxy*** · October 19th, 2004, 05:22 PM

I do not no the definative answere to that, however i would guess that some would just not work properly and others would not work at all. I also think it would effect overall system stability. Hence microsoft not recommending it be disabled.

**coderecycle** · October 20th, 2004, 02:35 AM

Thanks gore for the advice. But iam running windows and linux slackware on my machine. Im just trying to rap my fingers around things....

Thanks all for the help

**!mitationRust** · October 20th, 2004, 05:49 AM

Originally posted here by coderecycle
I was doing some reasearch and trying to understand why not disable RPC. Can someone explain to me or point to a link. So i can understand hwo to secure RPC(disabling, firewall blocking port 593 i think) I know that i need to keep up with patches and all that. Some of articles on the net said no to disable it cause your system wont run in a stable manner after that, why?. Any help would be appreciated.

Thanks

Yeah, that one is required but you can kill the (RPC) locator.
I've been comfortably down to 12 processes. I'm also comfortable without patches.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LPDSVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFtpsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQ]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQTriggers]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardDrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SimpTcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uploadmgr]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"Start"=dword:00000004

Made at www.BLKviper.com This guy is a service tweaking freak.

**coderecycle** · October 21st, 2004, 03:01 AM

If anyone is interested in finding more about RPC, here are a few links i found

http://www.opengroup.org/onlinepubs/9629399/toc.htm
http://www.kcl.ac.uk/kis/support/cit...an/procsn.html
http://support.microsoft.com/default...b;en-us;826382
http://msdn.microsoft.com/library/de...components.asp
http://www2.cs.uregina.ca/~hamilton/courses/430/notes/
http://www.sei.cmu.edu/str/descriptions/rpc.html
http://www.yonezaki.cs.titech.ac.jp/...des/Shinjo.pdf

The best way to secure RPC is to patch your system against known vul on windows and try and disable service that you might not need(like disabling DCOM support in RPC over HTTP as mentioned in the third link). Having a firewall ofcourse. As for linux i read that is the best way to block access to your RPC services is to use a firewall - iptables/ipchains and block all the ports that are not needed.

I would really appreciate any input on the best ways to secure and learn more about securing RPC since alot of the attacks exploite RPC

http://www.infosyssec.com/cgi-bin/fl...yssec/bor2.htm

Thanks again

***cgkanchi*** · October 21st, 2004, 12:59 PM

If you disable RPC on Windows, pretty much nothing works. So, it's not a good idea. And yes, all those services that you listed will fail to start if RPC is disabled.

Cheers,
cgkanchi

**Riotgirl** · October 23rd, 2004, 07:31 PM

In the following discussion: http://www.antionline.com/showthread...light=port+135
jinxy provides a snippet from Reg Review of a list of ports/services that ought to be disabled.

After reading the forum and receiving guidance from a great deal of sources regarding disabling unnecessary services, then checking the results through running netstat -ano (I'm running Win XP) from the command line I manged to clear a great many services and close a few ports.

For some unknown reason, port 135 re-appeared due to process svchost.exe. Performing an advanced search on the AP forums using 'port 135' as a search term, I came across the link above. Disabling the services as suggested by Reg Review, I then rebooted, opened up a command prompt and ran netstat -ano. To my surprise, there were no services at all running. Nothing. Zilch. Nada. I also noticed that ZA had failed to load in my system tray. I fired up Firefox to find that the server couldn't be found ..

Roh ro! Oh kay .. time to figure out what service I had disabled. At first I thought it was the Remote Access Control Manager -- enabled, tried to start but wouldn't start due to an RPC dependency. Hmmm .. Rebooted. Same problem. No services running, no ZA and no connection. Using a reductive approach, I figured I would turn each disabled service on, then reboot and see if my connection would be restored. Well, I jump-started the reductive process by only examining the disabled services (Start/Run/services.msc) that had affected network connections. I noticed that DHCP Client had been disabled (as per Reg Review) so I set it to Automatic, then re-started it.

Bingo! Connectivity once more!

Hopefully, this has resolved my connectivity problems, but just a warning for users in case they experience a lack of connectivity.

Regards,
Riotgirl

Thread: Disabling RPC

Thread Tools

Display

Disabling RPC

Re: Disabling RPC

Posting Permissions