Step 4: Allowing Inbound Network Traffic that Uses Dynamic RPC

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

If every program and service that needed to communicate over the network assigned its own port number, you can easily imagine that sooner or later two programs would conflict over the use of the same port. To address this, many programs use the Remote Procedure Call (RPC) protocol to request communications with a host service on a dynamically assigned port number. When a service starts up, it registers with the RPC service and requests the assignment of one or more dynamic port numbers. When the remote client needs to communicate with that service, it does not know which port numbers have been assigned. To find out, the client connects to the server on TCP port 135 (the "well-known" port number for the RPC Endpoint Mapper service), and identifies the service to which it wants to connect. The RPC Endpoint Mapper service replies with the port number that the client should use to connect to the desired service. The client then reconnects to the server using the assigned port number, and communication with the desired service begins.

In versions of Windows earlier than Windows Vista, dynamically assigned ports have been a challenge for firewall administrators. Either they had to create rules that open large ranges of port numbers in the dynamically assigned range (all ports greater than 1024), or they had to limit the program to using a much smaller number of ports than it was designed to use. Creating rules to open many ports that are not currently being actively used increases the surface area of a computer's vulnerability to attack. Limiting programs to using fewer ports might compromise the programs' performance, and some programs provide no way to configure or limit the port numbers used. Neither is a good situation.

Starting in Windows Vista, Windows Firewall with Advanced Security supports stateful filtering of the dynamically assigned port numbers used by RPC. Only those port numbers currently assigned by RPC to an active service are opened, and even then, a dynamically assigned port is opened only to clients that asked to connect to that service by making a request to the RPC Endpoint Mapper.

Note

To determine whether your program must use ports that are dynamically assigned by RPC, see the documentation provided by your program's vendor. You can also examine the traffic going to and from your program by using a network protocol analyzer such as Microsoft Network Monitor. You can download Network Monitor at https://go.microsoft.com/fwlink/?LinkID=94770. See the Network Monitor Links section in the left-hand column

In Windows Vista and later versions of Windows, this problem is solved by the introduction of rules that can directly support RPC port requirements for programs. To configure this support for a program, you must create the following rules:

  • An inbound rule that allows inbound network traffic for RPC Endpoint Mapper. This rule allows the computer to receive traffic sent to the port 135. The rule must also be configured to use the Allow action, and the program path of the RPC Endpoint Mapper service.

  • An inbound rule that specifies Dynamic RPC for the port number. When an incoming request from a remote computer is received by the RPC Endpoint Mapper service on port 135 (see the previous rule), the service assigns a dynamic port number to the request and replies to the remote computer by using that number. The IP address of the remote computer and the dynamic port number are stored in an internal table. When the remote computer then sends a packet to the new port number, this rule allows Windows to match the port number and IP address to the entries stored in the table. If a match is found, it allows the inbound traffic.

The advantage is that any port in the RPC ephemeral range can be used without having to explicitly define a rule to open that port. The port is only usable by a program that was assigned the use of the port by the endpoint mapper. No unused ports are left open, reducing the vulnerability of the server.

Important

If you create rules to allow RPC network traffic through the firewall then all RPC network traffic is permitted. Windows Firewall cannot filter network traffic based on the UUID of the destination program.

In this section, you create rules for the Remote Event Log service that use Dynamic RPC. Although Windows has predefined rules that provide this capability, you create the rules manually to see the steps that are involved.

To begin, confirm that the Remote Event Log service is not currently working remotely from the client because the firewall on MBRSVR1 is blocking the traffic.

To confirm that the Remote Event Log service is not working remotely

  1. On CLIENT1, click Start, type event viewer in the Start Search box, and then press ENTER.

  2. Click Action, and then click Connect to another computer.

  3. In the Another computer text box, type MBRSVR1, and then click OK.

  4. After several seconds, the connection attempt times out and fails as shown in the following figure, because Windows Firewall with Advanced Security on MBRSVR1 is dropping the required network traffic. Click OK.

To allow this service to work, begin by creating a rule that supports inbound traffic to the RPC Endpoint Mapper service. This example shows how to create a firewall rule that restricts a services container (svchost.exe) that hosts many services to only the one service of interest, and then further restricts that service to only the required TCP port.

To create a rule that allows inbound network traffic to the RPC Endpoint Mapper service

  1. On MBRSVR1, in Group Policy Management Editor for your server GPO, in the navigation pane, right-click Inbound Rules, and then click New rule.

  2. On the Rule Type page, click Custom, and then click Next.

  3. In the This program path text box, type %systemroot%\system32\svchost.exe.

  4. Next to Services, click Customize.

  5. Click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, click OK, and then click Next.

  6. On the warning about conflicting with Windows service-hardening rules, click Yes.

  7. On the Protocol and Ports page, for Protocol type, select TCP.

  8. For Local Port, select RPC Endpoint Mapper, and then click Next.

  9. On the Scope page, click Next.

  10. On the Action page, click Next.

  11. On the Profile page, clear the Private and Public check boxes, and then click Next.

  12. On the Name page, type Allow RPC Endpoint Mapper, and then click Finish.

Next, create a rule that allows the incoming traffic from the remote Event Log client. Since the incoming port number is assigned dynamically by the RPC Endpoint Mapper service, you specify Dynamic RPC instead of a specific port number.

Note

The Event Log we are using as an example service is hosted in %systemroot%\system32\svchost.exe. Be sure to use the path of the executable file hosting the service that you want to create rules for when in a production environment.

To create a rule that allows inbound network traffic to your RPC-enabled service

  1. On MBRSVR1, in Group Policy Management Editor, in the navigation pane, right-click Inbound Rules, and then click New rule.

  2. On the Rule Type page, click Custom, and then click Next.

  3. In the This program path text box, type %systemroot%\system32\svchost.exe. The Remote Event Log service is another service hosted by that file.

  4. Next to Services, click Customize.

  5. Click Apply to this service, select Windows Event Log with a short name of eventlog, click OK, and then click Next.

  6. On the warning about conflicting with Windows service-hardening rules, click Yes.

  7. On the Protocol and Ports page, for Protocol type, select TCP.

  8. For Local Port, select Dynamic RPC (on Windows Server 2008) or RPC Dynamic Ports (on Windows Server 2008 R2), and then click Next.

  9. On the Scope page, click Next.

  10. On the Action page, click Next.

  11. On the Profile page, clear the Private and Public check boxes, and then click Next.

  12. On the Name page, type Allow Remote Event Log Service, and then click Finish.

    Now you can apply the GPO to MBRSVR1.

  13. At an Administrator: Command Prompt, run gpupdate /force. Wait for the command to finish.

  14. If it is not already open, open the Windows Firewall with Advanced Security snap-in.

  15. Expand Monitoring, click Firewall, and then confirm that your new rules are now active on the computer.

Now you can try to connect to the Remote Event Log service from the client again.

To confirm that the Remote Event Log service is working

  1. On CLIENT1, in Event Viewer, click Action, and then click Connect to another computer.

  2. In the Another computer text box, type MBRSVR1, and then click OK.

  3. The attempt succeeds, and the top node in the navigation page shows that the viewer is connected to MBRSVR1.contoso.com.

  4. Close Event Viewer.

Next topic: Step 5: Viewing the Firewall Log