��к�

Select the product you need help with

�Ըա�á�˹�� RPC ��쵷��͹��Ըա�÷��ѡ�Ҥ��ʹ��¾��ҹ�� IPsec

��Ţ�� (Article ID): 908472 - ��Ե�ѳ��Ǣ�ͧ㹺��

��ԡ��ʹ٢�ͨӡѴ��Ѻ�Դ�ͺ�ͧ KB ��¤��

��ԡ��ʴ��¤��е鹩�Ѻ��ѧ��§��ҧ�ѹ

��·�� | �غ��

��ػ

��͸Ժ��Ըա�á�˹�� RPC ��ǧ��Ẻ䴹��ԡ੾��Ըա�÷��ѡ�Ҥ��ʹ��¾��㹪�ǧ�� º�¡��ѡ�Ҥ��ʹ�� (IPsec) ��ⷤ��Թ�� ¤�� RPC ��㹪�ǧ�� ephemeral (1024-5000) ��͡�˹�� RPC ��ء��ա�ÿѧ��·ҧ�ͧ TCP Ẻ �ѡɳС�÷ӧҹ��ö�ӡ��Ҷ֧ restricting ��ҹ�� challenging ��Ѻ��͢�� ͸Ժ��Ըա��Ŵ�ӹǹ��쵵�ҧ � ��ҹ��ء�� RPC ��Ըա�èӡѴ��Ҷ֧��ҹ�� º�� IPsec ��Ѻ�ը�ʷ��

��ͧ�ҡ��鹵͹㹺��Ǣ�ͧ�Ѻ��¹�ŧ��駤��ͧ��ö��к�� 鹵͹��ҹ��÷ӡ�͹��Ҿ�Ǵ�� nonproduction ��кػѭ�Ҥ��ҡѹ��ͧ��ء��ҧ � ��Ҩ�Դ��繼��Ѿ��ͧ��¹�ŧ��ҹ��

��

�ա�õ�駤�Ҥ͹�ԡ�ҹ��·��ͧ��鹡�� Ŵ ��ШӡѴ��Ҷ֧�� RPC

�á ��ǧ��Ẻ䴹��ԡ�ͧ RPC ��èж١�ӡѴ��ѧ��ǧ��쵷��բ�Ҵ�� manageable �ҡ��ҷ��к��͡��¢�� ͹�º�� IPsec �Ѵ�� RPC Ẻ䴹��ԡ��þ��㹪�ǧ�ͧ 1024 �� 5000 ��Ѻ��·ҧ��кؾ��쵷��пѧ

��˵�:��ǧ�� 5021 5001 ��ա��§�� exhausting ephemeral �� Ŵ�ӹǹ��쵵�ҧ � ��ҹ��ѧ��·ҧ�ͧ RPC �ҡ 3,976 �֧ 20

��鹵͹�Ѵ� ��ͧ��ҧ��º�� IPsec ��ͨӡѴ��Ҷ֧��ǧ��쵹��ͻ��ʸ��Ҷ֧��ʵ��͢��

��ش�� º�� IPsec ��ö��Ѻ��ا��á�˹��ҷ��͹ ip �ʹ��ʢͧ�س ��͢��¢ͧ��͢�� Ѻ�� RPC �١��ͤ ��¡��

��͵�ͧ��ҹ�ͧ reconfiguring ��ǧ��Ẻ䴹��ԡ RPC ��ǹ��Ŵ��ͧ��͡�õ�駤�Ҥ͹�ԡ RPC (RPCCfg.exe), �� Ѵ�͡� �ѧ��൪ѹ ��ж١ reconfigured �¡��价��䫵��仹��ͧ Microsoft::

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369&DisplayLang=en

(http://www.microsoft.com/downloads/details.aspx?FamilyID=0f9cde2f-8632-4da8-ae70-645e1ddaf369&DisplayLang=en)

��͵�ͧ��÷ӧҹ��ѧ��ҧ��º�� IPsec ��ǹ��Ŵ��ͧ�Թ��ⷤ�š��ѡ�Ҥ��ʹ��¹�º�� (Ipsecpol.exe), �� Ѵ�͡� �ѧ��൪ѹ ��ж١ reconfigured �¡��价��䫵��仹��ͧ Microsoft::

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7D40460C-A069-412E-A015-A2AB904B7361

(http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7D40460C-A069-412E-A015-A2AB904B7361)

��˵�:��͵�ͧ��ҧ��º�� IPsec �� Ѻ Microsoft Windows XP ��к��Ժѵԡ�� Windows ��蹷�� Ipseccmd.exe Ipseccmd.exe ��ǹ˹�觢ͧ��ͧ��ʹѺʹع�ͧ Windows XP ��ҡó��С�� IPseccmd.exe ��͹��ҡó��С�� Ipsecpol.exe��Ѻ��ǡѺ��ͧ��ʹѺʹع�ͧ Windows XP ��ԡ��Ţ��仹��ʹٺ��㹰ҹ��ͧ Microsoft:

838079

(http://support.microsoft.com/kb/838079/ )

windows XP Service Pack 2 ��ͧʹѺʹع��

�� Ŵ��ǧ��Ẻ䴹��ԡ�ͧ RPC �� RPCCfg.exe

��͵�ͧ�� Ŵ��ǧ��Ẻ䴹��ԡ RPC �� RPCCfg.exe ��Թ��ôѧ��仹��:

��äѴ�͡ RPCCfg.exe ��ѧ��ж١��˹��
�� :rpccfg.exe - pe 5001 - 5021 -� 0.
��˵�:�йӪ�ǧ��쵹�� »��·ҧ�ͧ RPC ��ͧ�ҡ��㹪�ǧ��Ҩ��ö�Ѵ��Ѻ�� ء�� ¤�� RPC ��ǧ�� 1024 �� 5000 ��Ѻ��ûѹ��ǹ��Ѻ��·ҧ ��ҧ�á�� 㹪�ǧ��ѹ�ѧẺ䴹��ԡ��ǹ��Ѻ�� к��Ժѵԡ�� Windows ��Ѻ Windows ��ء��ͧ��͡�� з�� heavily ��Թ��дѺ��ҧ��觷��͡�ҡ�Ѻ�к��

��ҧ�� Internet Explorer �Դ��캹�� 80 ��ͺ��㹪�ǧ 1024 5000 ��õͺʹͧ�ҡ�� A middle-tier COM server that makes outgoing calls to other remote servers also uses a port in this range for the incoming reply to that call. Moving the range of ports that RPC uses for its endpoints to the 5001 port range will reduce the chance that these ports will be used by other applications.
For more information about ephemeral port usage in Windows operating systems, visit the following Microsoft Web sites.
- ��Ѻ Windows 2000::
  http://technet.microsoft.com/library/bb726981.aspx
  (http://technet.microsoft.com/library/bb726981.aspx)
- For Windows Server 2003:
  http://technet2.microsoft.com/WindowsServer/en/library/823ca085-8b46-4870-a83e-8032637a87c81033.mspx?mfr=true
  (http://technet2.microsoft.com/WindowsServer/en/library/823ca085-8b46-4870-a83e-8032637a87c81033.mspx?mfr=true)

Use an IPsec or firewall policy to block access to the vulnerable ports on the affected host

In the commands in the following section, any text that appears between percent (%) signs is intended to represent text in the command that must be entered by the person who creates the IPsec policy. For example, wherever the text "%IPSECTOOL%" appears, the person who creates the policy should substitute that text as follows:

For Windows 2000, substitute "%IPSECTOOL%" with "ipsecpol.exe."
For Windows XP or a later version of Windows, substitute "%IPSECTOOL%" with "ipseccmd.exe."

For more information about how to use IPsec to block ports, click the following article number to view the article in the Microsoft Knowledge Base:

813878

(http://support.microsoft.com/kb/813878/ )

�Ըա�÷��͡��ⷤ��͢��੾��о�� IPSec

Block access to the RPC Endpoint Mapper for all IP addresses

To block access to the RPC Endpoint Mapper for all IP addresses, use the following syntax.

��˵�:On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000).

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

��˵�:Do not type "%IPSECTOOL%" in this command. "%IPSECTOOL%" is intended to represent the part of the command that must be customized. For example, on Windows 2000, type the following command from a directory that contains Ipsecpol.exe to block all incoming access to TCP 135:

ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

On Windows XP and on later operating systems, type the following command from a directory that contains Ipseccmd.exe to block all incoming access to TCP 135:

ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

Block access to the RPC dynamic port range for all IP addresses

To block access to the RPC dynamic port range for all IP addresses, use the following syntax.

��˵�:On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000).

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP %PORT% Rule" -f *=0:%PORT%:TCP -n BLOCK

��˵�:Do not type "%IPSECTOOL%" or "%PORT%" in this command. "%IPSECTOOL%" and "%PORT%" are intended to represent parts of the command that must be customized. For example, type the following command on Windows 2000 hosts to block all incoming access to TCP 5001:

ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK

To block all incoming access to TCP 5001, type the following command on Windows XP hosts and on hosts of later Windows operating systems:

ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK

Repeat this command for each RPC port that must be blocked by changing the port number that is listed in this command. Ports that must be blocked are in the 5001-5021 range.

��˵�:Do not forget to change the port number in the rule name (the-rswitch) and in the filter (the-f��Ե��)

Optional: Give access to the RPC Endpoint Mapper for specific subnets if access is needed

If you must give specific subnets access to the restricted RPC ports, you must first give these subnets access to the RPC Endpoint Mapper that you blocked earlier. To give a specific subnet access to the RPC Endpoint Mapper, use the following command:

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP 135 from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:135:TCP -n PASS

��˵�:In this command, the following statements apply:

"%IPSECTOOL%" represents the command to use. This command is either "ipsecpol.exe" or "ipseccmd.exe." Which command is used depends upon which operating system you are configuring.
"%SUBNET%" represents the remote IP subnet to which you want to give access, for example, 10.1.1.0.
"%MASK%" represents the subnet mask to use, for example, 255.255.255.0.

For example, the following command enables all hosts from the 10.1.1.0/255.255.255.0 subnet to connect to port TCP 135. All other hosts will have their connections denied by the default block rule that was created earlier for this port.
%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 135 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:135:TCP -n PASS

Optional: Give access to the new RPC dynamic port range for specific subnets if access is needed

Each subnet that was given access to the RPC Endpoint Mapper earlier should also be given access to all the ports in the new RPC dynamic port range (5001-5021).

If you enable subnets to reach the RPC Endpoint Mapper but not the dynamic port range, the application may stop responding, or you may experience other problems.

The following command gives a specific subnet access to a port in the new RPC dynamic port range:

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP %PORT% from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:%PORT%:TCP -n PASS

��˵�:㹤��觹�� 觵��仹��:

"% IPSECTOOL %" ��¶֧��ͷ�� 觹�� "ipsecpol.exe" �� "ipseccmd.exe" ��㴢��к��Ժѵԡ�÷��س��ѧ��˹��
%�� "%" ��¶֧��㹪�ǧ��Ẻ䴹��ԡ��ù��
"%��͢��%" ��¶֧��͢�� IP ��·��س��ͧ��ù�� ҧ�� 10.1.1.0
"%��ʡ�%" ��¶֧�Ѻ��ʡ�� ҧ�� 255.255.255.0

��ҧ�� 觵��仹��ʵ��ҡ��͢�� 10.1.1.0/255.255.255.0 ��͡Ѻ�� TCP 5001 ��ʵ�� ա��ͷ��١��ʸ �¡��ú��͡��鹷��١��ҧ��͹˹�ҹ��Ѻ��쵹��
%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 5001 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:5001:TCP -n PASS

��˵�:��觹��ö١�ӫ��Ѻ��͢��о��㹪�ǧ��Ẻ䴹��ԡ RPC ��

��˹��º�� IPsec

��˵�:��ǹ��ռŷѹ��

��ѧ�ҡ��س��ҧ��ú��͡�� ͡��顮��Ѻ RPC ��١��˹��Ҿ�� ˹��º�� ¡��觵��仹��:

%IPSECTOOL% -w REG -p "Block RPC Ports" �x

��˵�:��͵�ͧ��㹷ѹ�� unassign ��º�� 觵��仹��:

%IPSECTOOL% -w REG -p "Block RPC Ports" �y

��˵�:��͵�ͧ��ź��º�¨ҡ�ը�ʷ�� 觵��仹��:

%IPSECTOOL% -w REG -p "Block RPC Ports" -o

�س��ͧ��鹡��ʵ��Ѻ��¹�ŧ�ռ�

��˵�

��¹�ŧ��õ�駤�Ҥ͹�ԡ RPC ��繵�ͧ�ա��к��
��¹�ŧ��º�� IPsec �ռŷѹ�� 繵�ͧ�ա��ʵ��

��ѧ�ҡ��൪ѹ��ʵ�� Թ��࿫� � �ͧ RPC ��ӴѺ�ͧ��ⷤ�� ncacn_ip_tcp ��к�੾�о�� TCP ��١ ��ա�ûѹ��ǹ�ҡ��ǧ�� ¡��ҹ��ԧ RPC �� RPC ��

��˵�:��Ҩ��繵�ͧ�� TCP �ҡ�� 20 �س��ö��rpcdump.exe�� ͹Ѻ�ӹǹ RPC ��·ҧ��١�١��ҡѺ�� TCP ��Ţ��Ҥس��ͧ�� Ѻ��ǡѺ�Ըա�â��Ѻ��ͧ��͡�ö��͹�� RPC ��价��䫵��仹��ͧ Microsoft:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd

(http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd)

�س��ѵ�

��Ţ�� (Article ID): 908472 - ��Ǥ��ش��: 16 ��Ҥ� 2554 - Revision: 2.0

��Ѻ

Microsoft Windows Server 2003 Service Pack 1��Ѻ:

Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Media Center Edition 2005

kbinfo kbmt KB908472 KbMtth

��¤��

��Ӥѭ: ��«Ϳ��Ŵ��¤��ͧ Microsoft ᷹��繹ѡ�ŷ��繺ؤ�� Microsoft �պ��¹ѡ��к��Ŵ��¤�� س��ö��Ҷ֧��㹰ҹ��ͧ�� Ңͧ�س�ͧ ��ҧ�á�� Ŵ��¤��Ҩ�բ�ͺ��ͧ ��Ҩ�բ�ͼԴ��Ҵ㹤��Ѿ�� ٻẺ��ҡó� ��ǡѺ�óշ��ǵ�ҧ�ҵԾٴ�Դ��;ٴ��Ңͧ�س Microsoft ��ǹ�Ѻ�Դ�ͺ��ͤ��Ҵ��͹ ��Դ��Ҵ��ͤ��·��Դ�ҡ��ҼԴ��Ҵ ��͡��麷�Ţͧ�١�� Microsoft �ա�û�Ѻ��ا�Ϳ��Ŵ��¤��繻�Ш�

��仹��繩�Ѻ��ѧ��ɢͧ��:908472

(http://support.microsoft.com/kb/908472/en-us/ )