Summary
This article describes how to configure RPC to use a specific dynamic port range and how to help secure the ports in that range by using an Internet Protocol security (IPsec) policy. By default, RPC uses ports in the ephemeral port range (1024-5000) when it assigns ports to RPC applications that have to listen on a TCP endpoint. This behavior can make restricting access to these ports challenging for network administrators. This article discusses ways to reduce the number of ports available to RPC applications and how to restrict access to these ports by using a registry-based IPsec policy.
Because the steps in this article involve computer-wide changes that require the computer to be restarted, all these steps should be performed first in nonproduction environments to identify any application-compatibility issues that may occur as the result of these changes.More Information
There are multiple configuration tasks that must be completed in order to relocate, reduce, and restrict access to RPC ports.
First, the RPC dynamic port range should be restricted to a smaller, more manageable port range that is easier to block by using a firewall or IPsec policy. By default, RPC dynamically allocates ports in the range of 1024 to 5000 for endpoints that do not specify a port on which to listen. Note This article uses the port range of 5001 to 5021. This reduces the number of ports that are available to RPC endpoints from 3,976 to 20. The number of ports was selected arbitrarily and is not a recommendation for the number of ports that are needed for any specific system. Next, an IPsec policy must be created to restrict access to this port range to deny access to all hosts on the network. Finally, the IPsec policy can be updated to give certain IP addresses or network subnets access to the blocked RPC ports and to exclude all others. To start the task of reconfiguring the RPC dynamic port range, download the RPC Configuration Tool (RPCCfg.exe), and then copy it to the workstation or to the server that will be reconfigured. To do this, visit the following Microsoft Web site:http://www.microsoft.com/download/details.aspx?FamilyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369&DisplayLang=enTo perform the subsequent tasks of creating an IPsec policy, download the Internet Protocol Security Policies Tool (Ipsecpol.exe), and then copy it to the workstation or to the server that will be reconfigured. To do this, visit the following Microsoft Web site:
http://www.microsoft.com/download/details.aspx?displaylang=en&FamilyID=7D40460C-A069-412E-A015-A2AB904B7361Note To create an IPsec policy for Microsoft Windows XP or for a later version of the Windows operating system, use Ipseccmd.exe. Ipseccmd.exe is part of the Windows XP support tools. The syntax and usage of IPseccmd.exe are the same as the syntax and usage of Ipsecpol.exe. For more information about the Windows XP support tools, click the following article number to view the article in the Microsoft Knowledge Base:
838079 Windows XP Service Pack 2 Support Tools
Relocate and reduce the RPC dynamic port range by using RPCCfg.exe
To relocate and reduce the RPC dynamic port range by using RPCCfg.exe, follow these steps:
-
Copy RPCCfg.exe to the server that is to be configured
-
At the command prompt, type rpccfg.exe -pe 5001-5021 -d 0.
Note This port range is recommended for use by RPC endpoints because ports in this range are not likely to be allocated for use by other applications. By default, RPC uses the port range of 1024 to 5000 for allocating ports for endpoints. However, ports in this range are also dynamically allocated for use by the Windows operating system for all Windows sockets applications and can be exhausted on heavily used servers such as terminal servers and middle-tier servers that make many outgoing calls to remote systems. For example, when Internet Explorer contacts a Web server on port 80, it listens on a port in the 1024-5000 range for the response from the server. A middle-tier COM server that makes outgoing calls to other remote servers also uses a port in this range for the incoming reply to that call. Moving the range of ports that RPC uses for its endpoints to the 5001 port range will reduce the chance that these ports will be used by other applications. For more information about ephemeral port usage in Windows operating systems, visit the following Microsoft Web sites.-
For Windows 2000:
-
For Windows Server 2003:
-
Use an IPsec or firewall policy to block access to the vulnerable ports on the affected host
In the commands in the following section, any text that appears between percent (%) signs is intended to represent text in the command that must be entered by the person who creates the IPsec policy. For example, wherever the text "%IPSECTOOL%" appears, the person who creates the policy should substitute that text as follows:
-
For Windows 2000, substitute "%IPSECTOOL%" with "ipsecpol.exe."
-
For Windows XP or a later version of Windows, substitute "%IPSECTOOL%" with "ipseccmd.exe."
For more information about how to use IPsec to block ports, click the following article number to view the article in the Microsoft Knowledge Base:
813878 How to block specific network protocols and ports by using IPSec
Block access to the RPC Endpoint Mapper for all IP addresses
To block access to the RPC Endpoint Mapper for all IP addresses, use the following syntax.
Note On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000).%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK
Note Do not type "%IPSECTOOL%" in this command. "%IPSECTOOL%" is intended to represent the part of the command that must be customized. For example, on Windows 2000, type the following command from a directory that contains Ipsecpol.exe to block all incoming access to TCP 135:
ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK
On Windows XP and on later operating systems, type the following command from a directory that contains Ipseccmd.exe to block all incoming access to TCP 135:
ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK
Block access to the RPC dynamic port range for all IP addresses
To block access to the RPC dynamic port range for all IP addresses, use the following syntax.
Note On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000).%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP %PORT% Rule" -f *=0:%PORT%:TCP -n BLOCK
Note Do not type "%IPSECTOOL%" or "%PORT%" in this command. "%IPSECTOOL%" and "%PORT%" are intended to represent parts of the command that must be customized. For example, type the following command on Windows 2000 hosts to block all incoming access to TCP 5001:
ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK
To block all incoming access to TCP 5001, type the following command on Windows XP hosts and on hosts of later Windows operating systems:
ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK
Repeat this command for each RPC port that must be blocked by changing the port number that is listed in this command. Ports that must be blocked are in the 5001-5021 range.
Note Do not forget to change the port number in the rule name (the -r switch) and in the filter (the -f switch).Optional: Give access to the RPC Endpoint Mapper for specific subnets if access is needed
If you must give specific subnets access to the restricted RPC ports, you must first give these subnets access to the RPC Endpoint Mapper that you blocked earlier. To give a specific subnet access to the RPC Endpoint Mapper, use the following command:
%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP 135 from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:135:TCP -n PASS
Note In this command, the following statements apply:
-
"%IPSECTOOL%" represents the command to use. This command is either "ipsecpol.exe" or "ipseccmd.exe." Which command is used depends upon which operating system you are configuring.
-
"%SUBNET%" represents the remote IP subnet to which you want to give access, for example, 10.1.1.0.
-
"%MASK%" represents the subnet mask to use, for example, 255.255.255.0.
For example, the following command enables all hosts from the 10.1.1.0/255.255.255.0 subnet to connect to port TCP 135. All other hosts will have their connections denied by the default block rule that was created earlier for this port.%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 135 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:135:TCP -n PASS
Optional: Give access to the new RPC dynamic port range for specific subnets if access is needed
Each subnet that was given access to the RPC Endpoint Mapper earlier should also be given access to all the ports in the new RPC dynamic port range (5001-5021).
If you enable subnets to reach the RPC Endpoint Mapper but not the dynamic port range, the application may stop responding, or you may experience other problems. The following command gives a specific subnet access to a port in the new RPC dynamic port range:%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP %PORT% from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:%PORT%:TCP -n PASS
Note In this command, the following statements apply:
-
"%IPSECTOOL%" represents the command to use. This command is either "ipsecpol.exe" or "ipseccmd.exe." Which command is used depends upon which operating system you are configuring.
-
"%PORT%" represents the port in the dynamic port range to which to give access.
-
"%SUBNET%" represents the remote IP subnet to which you want to give access, for example, 10.1.1.0.
-
"%MASK%" represents the subnet mask to use, for example, 255.255.255.0.
For example, the following command enables all hosts from the 10.1.1.0/255.255.255.0 subnet to connect to port TCP 5001. All other hosts will have their connections denied by the default block rule that was created earlier for this port.%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 5001 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:5001:TCP -n PASS
Note This command should be repeated for each subnet and port in the new RPC dynamic port range.
Assign the IPsec policy
Note The commands in this section take effect immediately.
After you create all the block rules and all the optional allow rules for the configured RPC ports, assign the policy by using the following command:%IPSECTOOL% -w REG -p "Block RPC Ports" –x
Note To immediately unassign the policy, use the following command:
%IPSECTOOL% -w REG -p "Block RPC Ports" –y
Note To delete the policy from the registry, use the following command:
%IPSECTOOL% -w REG -p "Block RPC Ports" -o
You must restart the host for the changes to take effect.
Notes-
The RPC configuration changes require a restart.
-
The IPsec policy changes take effect immediately and do not require a restart.
After the workstation or server restarts, any RPC interfaces that use the ncacn_ip_tcp protocol sequence and do not specify a specific TCP port to which to bind will have a port allocated from this range by the RPC runtime when the RPC server starts.
Note The server may require more than 20 TCP ports. You can use the rpcdump.exe command to count the number of RPC endpoints that are bound to a TCP port and to increase this number if you must. For more information about how to obtain the RPC Dump tool, visit the following Microsoft Web site: