4.17.3. MSRPC network traffic analysis in Firewalls
To properly implement a network security policy in Windows environments, it might be desirable to use firewalls that support MSRPC.
Depending on the completeness of the implementation, MSRPC support in a
firewall might include the following features:
Support of multiple protocols sequences: TCP, UDP, SMB, HTTP
Enforce sanity checks to network traffic, to ensure that it corresponds to legitimate DCE RPC PDUs.
Keep state in the MSRPC filtering engine, to match requests and responses
Possibility to specify a list of allowed or denied interfaces (using UUIDs)
Possibility to specify a list of allowed or denied operations for specific interfaces
Possibility to analyze results of endpoint mapper queries and dynamically allow traffic to ports revealed in answers to endpoint mapper queries
Possibility to analyze results of DCOM activation requests and dynamically allow traffic to ports needed to reach allowed DCOM servers
Possibility to block SMB NULL sessions
Possibility to restrict connections to certain named pipes (SMB transport)
Possibility to block unauthenticated MSRPC sessions (especially when the TCP transport is used)
With Windows Server 2003 SP1, a modification to the MSRPC implementation was
introduced. As a consequence, firewalls implementing sanity checks on MSRPC
traffic started to block traffic originating from these systems because the
software did not consider the traffic as valid.
are available from the different vendors to fix the problem.