Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Risks of RPC over HTTP

From: Chris Green <cmgreen () UAB EDU>
Date: Wed, 15 Feb 2006 10:24:55 -0600
On 2/15/06 9:39 AM, "James H Moore" <jhmfa () RIT EDU> wrote:


- - - -
Our technical infrastructure has "turned it on".  I am left with trying
to find out to see what controls need to be in place.  Best practices,
Opinions, References welcome.


I recently attended a talk by Jesper Johansson at Microsoft Security Summit
East.  He has a book out "Protect Your Windows Windows Network from
Perimeter to Data" which covers some of these concepts but not this case
specifically. I've written him to see if I can have a link to that talk or
other documents supporting the following.

During his talk, he was talking about exposing Exchange out over the
internet for full use with the goal of allowing people to check their mail
from home using full outlook client.  He went down the con of VPN: exposing
them to entire network when they just need access to exchange.

Fast forward a bit and he talked about Outlook 2003 & HTTP-over-RPC.  Due to
the way RPC API works, you can register as either an remote service or a
local only service. That exposure decision is done a per process basis. If
you have a process that registers 5 local services, and 1 remote service,
those local services are exposed out as well. This surprised many
programmers at Microsoft. Fixing this class of bugs was a major enhancement
of 2000 -> 2003 but I'm sure it's not complete, especially for third party
software.

What RPC over HTTP does is allow all those remote RPC services, that you
probably firewalled a long time ago (port 135), out over HTTP (port 593)
opening you up to the risks of RPC.

In his example, he said that ISA Server can allow only the proper
RPC-over-HTTP services to be exposed to the end user since it can work at
the application layer. He did say he very much wished that functionality was
built into the OS rather than ISA Server but that just wasn't the case yet.
That left an assurance he wasn't just pushing ISA Server.

http://www.eeye.com/html/Research/Tools/RPCDCOM.html is one tool that can
show an example of these risks (showing DCOM vulnerability over RPC over
HTTP).

Big Disclaimer:  This is me regurgitating what I heard but it did make
complete sense to me.  I've made us on our infrastructure people examine
RPC-over-HTTP and ISA Server before we open up our Exchange for the Outlook
2003 clients.

Hope this helps and I'll let you know if I find hard references.
--
Chris Green
UAB Data Security, 5-0842
Previous By Date Next
Previous By Thread Next

Current thread: