HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Articles > Windows network services internals
Go to: HSC Trainings
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|Windows network services internals  
> Access to the content HTML Beginning of the article  
> Description Research paper describing not so well-known characteristics of Windows network services, focusing on the TCP/IP stack and SMB/CIFS and MSRPC protocols implementations  
> Context & Dates Internal study.
Initial version on 22 October 2003. Updated on 23rd May 2006.  
> Author Jean-Baptiste Marchand 
> Type  
> Abstract &
Table of content
 
> Related documents
themeWindows
[Course]  Windows Security
[Course]  Securing Windows - SANS SEC505
[Presentation]  Extract authentication data from Windows memory [29 May 2013 - French]
[Presentation]  Extract authentication data from Windows memory [4 April 2013 - French]
[Presentation]  Skyrack, rop for masses [17 June 2011 - English]
[Presentation]  Dumping Windows password hashes [10 May 2011 - French]
[Tool]  SSToPer tool [A Linux implementation for SSTP client - English]
[Presentation]  Rainbow Tables and accents characters on Windows [31 May 2007 - French]
[Presentation]  Workstation Security [29 March 2007 - French]
[Tip]  Presentation of Alternates Data Stream (ADS) of NTFS [28 October 2005 - French]
[Presentation]  MSRPC NULL sessions - exploitation and protection [29 June 2005 - English]
[Tip]  Windows remote administration tools overview [15 June 2005 - English]
[Article]  Windows log files [6 June 2005 - English]
[Presentation]  Active Directory network protocols and traffic [4 May 2005 - English]
[Tip]  Minimizing Windows Server 2003 network services [6 April 2005 - English]
[Presentation]  Running with least privilege on Windows systems [7 February 2005 - French]
[Presentation]  SSLtunnel for Windows [22 September 2004 - French]
[Presentation]  Active Directory network protocols and traffic [13 September 2004 - French]
[Presentation]  Windows network services [13 January 2004 - French]
[Presentation]  Windows network services internals - HiverCon 03 [6 November 2003 - English]
[Presentation]  Windows network services for Samba folks [14 April 2003 - English]
[Article]  Security model of Windows systems [14 October 2002 - French]
[Tip]  Minimization of network services on Windows systems [2 September 2002 - English]
[Article]  Windows systems network services - Case study with Windows 2000 and Windows XP [6 June 2002 - French]
[Tip]  Minimizing network services on Windows systems [3 June 2002 - French]
[Tip]  Remote administration of Windows systems (Part 2) - rpcclient [18 February 2002 - French]
[Tip]  Remote administration of Windows systems (Part 1) - SSH [19 November 2001 - French]
[Presentation]  IP filtering and IPsec in Windows 2000 [7 September 2001 - French]
[Presentation]  Microsoft & Security: Beware Danger [13 March 2001 - French]
[Presentation]  Windows NT network flows [24 September 1998 - French]
[Article]  NT4 registers related to security [April 1998 - French]
[Article]  Windows systems network services - Case study with Windows 2000 and Windows XP [6 June 2002 - French]
> Copyright © 2003-2006, Hervé Schauer Consultants, all rights reserved.

  Windows network services internals

Windows network services internals

Jean-Baptiste Marchand

Revision History
22 October 2003
Initial version.
5 July 2004
Major update
19 October 2004
Port to the docbook typesetting system
20 January 2005
Major update of the NULL sessions section, including new information about Windows XP SP2 and Windows Server 2003 SP1
19 March 2005
Additional details about NULL session restrictions for samr and lsarpc interfaces on Windows XP and Windows Server 2003 (including for Active Directory domain controllers)
31 May 2005
Many small fixes, additions and reordering of sections
May 2006
Major update: new MSRPC interfaces, Windows Vista content (SMB 2.0, new MSRPC interfaces), documentation of Windows API, MSRPC vulnerabilities section, MSRPC and DCOM network traffic sections, sections reorganization, new naming convention for generated HTML pages, URL updates.
$LastChangedDate: 2006-05-22 13:21:48 +0200 (Mon, 22 May 2006) $
Last update

Table of Contents

1. Introduction
2. TCP/IP stacks
2.1. Introduction to Windows TCP/IP stacks
2.2. Windows 2000/XP/Server 2003 TCP/IP stack
2.3. No privileged ports
2.4. Ephemeral ports allocation
2.5. Identifying opened ports
2.5.1. netstat command
2.5.2. Identifying processes behind sockets
2.6. Sockets binding and hijacking
2.6.1. SO_EXCLUSIVEADDRUSE socket option
2.6.2. Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a
2.6.3. Multiple sockets bindings
2.6.4. What happens when SO_EXCLUSIVEADDRUSE is not used?
2.6.5. Windows services and drivers protected against socket hijacking
2.6.6. Global protection against socket hijacking
2.6.7. Diagnosing socket binding problems
2.7. The missing network loopback interface
2.8. Windows Vista TCP/IP stack
3. SMB/CIFS and SMB 2.0
3.1. SMB/CIFS and SMB 2.0 protocols
3.2. NetBIOS over TCP/IP
3.3. SMB transports
3.4. Vulnerabilities in Microsoft SMB/CIFS implementation
4. MSRPC, a.k.a. Microsoft implementation of DCE RPC
4.1. Introduction to MSRPC
4.2. DCE RPC Interface
4.3. MSRPC transports
4.4. MSRPC security model
4.5. RPC services registration
4.6. MSRPC over SMB
4.6.1. Named pipes
4.6.2. Named pipes used as MSRPC endpoints
4.6.3. Well-known MSRPC named pipes
4.7. NULL sessions
4.7.1. Introduction
4.7.2. Enabling NULL sessions restrictions
4.7.3. The ANONYMOUS LOGON network logon session
4.7.4. Restrictions at the share level
4.7.5. Restrictions on named pipes (IPC$ share)
4.7.6. Hardcoded named pipes
4.7.7. Named pipes permissions
4.7.8. Named pipes firewall in Windows XP SP2, Windows Server 2003 SP1 and later versions
4.7.9. NULL sessions restrictions settings in Windows 2000
4.7.10. NULL sessions restrictions settings in Windows XP and Windows Server 2003
4.7.11. NULL session restrictions for the samr interface in Windows XP and Windows Server 2003
4.7.12. NULL session restrictions for the lsarpc interface in Windows XP and Windows Server 2003
4.7.13. NULL sessions restrictions for the samr interface on Active Directory domain contollers
4.7.14. NULL sessions restrictions for the lsarpc interface on Active Directory domain contollers
4.7.15. NULL sessions restrictions of server and workstation RPC operations
4.8. MSRPC over TCP/IP
4.8.1. Portmapper RPC service
4.8.2. RPC interfaces supported by the rpcss service
4.8.3. DCOM-related RPC interfaces running in the rpcss service
4.8.4. ORPC interfaces running in the rpcss service
4.9. Windows core MSRPC interfaces
4.9.1. lsarpc interface
4.9.2. samr interface
4.9.3. netlogon interface
4.9.4. drsuapi interface
4.9.5. dssetup interface
4.9.6. eventlog interface
4.9.7. pnp interface
4.9.8. srvsvc interface
4.9.9. svcctl interface
4.9.10. winreg interface
4.9.11. wkssvc interface
4.10. Windows services MSRPC interfaces
4.10.1. Active Directory domain controllers RPC services
4.10.2. Computer Browser service
4.10.3. DCOM Server Process Launcher
4.10.4. Distributed File System service
4.10.5. DNS server
4.10.6. Exchange RPC services
4.10.7. Exchange RPC services in Active Directory domains
4.10.8. File Replication service
4.10.9. IIS services
4.10.10. Inter-site Messaging service
4.10.11. Message Queuing and Distributed Transaction Coordinator services
4.10.12. Messenger service
4.10.13. NetDDE service
4.10.14. RPC locator service
4.10.15. Scheduler service
4.10.16. Spooler service
4.10.17. WINS service
4.11. Other MSRPC interfaces
4.11.1. Application Management service
4.11.2. Certificate services
4.11.3. Client Service for NetWare
4.11.4. Cryptographic Services service
4.11.5. DHCP Client service
4.11.6. DHCP Server service
4.11.7. Distributed Link Tracking Client service
4.11.8. Distributed Link Tracking Server service
4.11.9. DNS Client service - Windows 2000
4.11.10. DNS Client service - Windows XP and later versions
4.11.11. EFS
4.11.12. Fax server
4.11.13. File Server for Macintosh
4.11.14. IPsec Policy Agent service - Windows 2000
4.11.15. IPsec Services service - Windows XP and later versions
4.11.16. License Logging service
4.11.17. Microsoft SQL Server
4.11.18. Protected storage service
4.11.19. Routing and Remote Access service
4.11.20. Secondary Logon service
4.11.21. Security Configuration Editor Engine
4.11.22. SSDP Discovery Service service
4.11.23. System Event Notification service
4.11.24. Telephony service
4.11.25. Terminal Server service
4.11.26. WebClient service
4.11.27. Windows Audio service
4.11.28. Windows File Protection
4.11.29. Windows Security Center
4.11.30. Windows Time service
4.11.31. Winlogon process - Windows 2000
4.11.32. Winlogon process - Windows Server 2003
4.11.33. Wireless Configuration service
4.12. MSRPC interfaces introduced in Windows Vista
4.12.1. Group Policy Client Service
4.12.2. Network Location Awareness
4.12.3. Network Store Interface
4.12.4. Parental controls
4.12.5. Peer Networking Identity Manager
4.12.6. Remote Registry Service
4.12.7. Windows event collector service
4.12.8. Windows event logging service
4.12.9. Windows Firewall
4.12.10. Windows Wireless LAN 802.11 Auto Configuration Service
4.12.11. Wired Autoconfiguration Service
4.13. Implication of multiple RPC services in one process
4.13.1. Win32 services hosting
4.13.2. Example of multiple RPC services in one process
4.13.3. Implications of running multiple RPC services in one process
4.14. RPC services protection
4.15. RPC interfaces restriction in Windows XP SP2, Windows Server 2003 SP1 and later versions
4.16. MSRPC vulnerabilities
4.17. MSRPC network traffic
4.17.1. MSRPC network traffic analysis with Ethereal
4.17.2. MSRPC network traffic analysis in Network Intrusion Prevention Systems
4.17.3. MSRPC network traffic analysis in Firewalls
4.18. DCOM
4.18.1. COM interfaces
4.18.2. DCOM network traffic
5. Conclusion
Bibliography

List of Tables

4.1. MSRPC security providers
4.2. Named pipes used by MSRPC servers
4.3. epmp operations
4.4. localepmp operations
4.5. DbgIdl operations
4.6. FwIdl operations
4.7. IRemoteActivation (IActivation) operations
4.8. IOXIDResolver operations
4.9. ILocalObjectExporter operations
4.10. ISCM operations
4.11. IROT operations
4.12. IMachineActivatorControl operations
4.13. ISCMActivator operations
4.14. ISystemActivator (IRemoteSCMActivator) operations
4.15. lsarpc operations
4.16. samr operations
4.17. netlogon operations
4.18. drsuapi operations
4.19. dssetup operations
4.20. eventlog operations
4.21. pnp operations
4.22. nt4_pnp operations
4.23. srvsvc operations
4.24. svcctl operations
4.25. winreg operations
4.26. wkssvc operations
4.27. JetBack operations
4.28. JetRest operations
4.29. dsrole operations
4.30. dsaop operations
4.31. browser operations
4.32. IActivationKernel operations
4.33. netdfs operations
4.34. DnsServer operations
4.35. exchange_mapi operations
4.36. exchange_rfr operations
4.37. rxds operations
4.38. nspi operations
4.39. FrsRpc operations
4.40. NtFrsApi operations
4.41. PerfFrs operations
4.42. inetinfo operations
4.43. iis_smtp operations
4.44. iis_nntp operations
4.45. iis_imap operations
4.46. iis_pop operations
4.47. ismapi operations
4.48. ismserv_ip operations
4.49. qmcomm operations
4.50. qmcomm2 operations
4.51. qm2qm operations
4.52. qmrepl operations
4.53. qmmgmt operations
4.54. IXnRemote operations
4.55. msgsvc operations
4.56. msgsvcsend operation
4.57. nddeapi operations
4.58. NsiS operations
4.59. NsiC operations
4.60. NsiM operations
4.61. atsvc operations
4.62. sasec operations
4.63. idletask operations
4.64. ITaskSchedulerService operations
4.65. winspool operations
4.66. winsif operations
4.67. winsi2 operations
4.68. appmgmt operations
4.69. ICertPassage operations
4.70. nwwks operations
4.71. IKeySvc operations
4.72. IKeySvc2 operations
4.73. ICertProtect operations
4.74. ICatDBSvc operations
4.75. RpcSrvDHCPC operations
4.76. dhcpcsvc6 operations
4.77. dhcpsrv operations
4.78. dhcpsrv2 operations
4.79. trkwks operations
4.80. trksvr operations
4.81. dnsrslvr operations
4.82. DnsResolver operations
4.83. efsrpc operations
4.84. fax_Server operations
4.85. sfmsvc operations
4.86. PolicyAgent operations
4.87. winipsec operations
4.88. lls_license operations
4.89. llsrpc operations
4.90. RPCnetlib operations
4.91. IPStoreProv operations
4.92. ICryptProtect operations
4.93. PasswordRecovery operations
4.94. BackupKey operations
4.95. rras operations
4.96. ISeclogon operations
4.97. SceSvc operations
4.98. ssdpsrv operations
4.99. SensApi operations
4.100. SENSNotify operations
4.101. tapsrv operations
4.102. lcrpc operations
4.103. winstation_rpc operations
4.104. davclntrpc operations
4.105. AudioSrv operations
4.106. AudioSrv operations
4.107. AudioRpc operations
4.108. AudioSrv operations
4.109. sfcapi operations
4.110. SecurityCenter operations
4.111. w32time operations
4.112. InitShutdown operations
4.113. pmapapi operations
4.114. GetUserToken operations
4.115. IUserProfile operations
4.116. IProfileDialog operations
4.117. IRPCSCLogon operations
4.118. winwzc operations
4.119. IGroupPolicyUtilities operations
4.120. nlaapi operations
4.121. nlaplg operations
4.122. WinNsi operations
4.123. WPCSvc operations
4.124. IP2pIMSvc operations
4.125. IPeerGroupSvc operations
4.126. pnrpsvc operations
4.127. perflibv2 operations
4.128. ICollectorService operations
4.129. IEventService operations
4.130. FwRpc operations
4.131. Fw_Resource_Indication operations
4.132. winwlan operations
4.133. winwdiag operations
4.134. winlan operations
4.135. Vulnerabilities in MSRPC interfaces
4.136. IRemUnknown methods
4.137. IRemUnknown2 methods
4.138. IOrCallback operations
Last modified on 4 November 2010 at 09:43:39 CET - webmaster@hsc.fr
Information on this server - © 1989-2013 Hervé Schauer Consultants