Educause Security Discussion mailing list archives
Re: Risks of RPC over HTTP
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 15 Feb 2006 12:00:51 -0500
James H Moore wrote:
- - - - Our technical infrastructure has "turned it on". I am left with trying to find out to see what controls need to be in place. Best practices, Opinions, References welcome.
This article seems to suggest that DCOM access through RPC over HTTP can be disabled even when Exchange functionality is desired which would seem to reduce the exposure. "On computers that are running Windows Server 2003, RPC over HTTP is required for Microsoft Exchange Server 2003 and for Microsoft Office System if Microsoft Office Outlook 2003 has been configured to use RPC over HTTP for checking corporate e-mail. Disabling or removing RPC over HTTP will prevent Office Outlook 2003 clients from connecting to their mailboxes by using RPC over HTTP. If you require RPC over HTTP functionality in your environment, you may want to disable DCOM instead of RPC over HTTP." http://support.microsoft.com/default.aspx?scid=kb;en-us;825819 And then, http://support.microsoft.com/default.aspx?kbid=826382 "By default, a server running Windows Server that is configured to support RPC over HTTP will also accept DCOM requests using this protocol. These DCOM requests are then sent to a local port on the server implementing RPC over HTTP (TCP port 593). Security best practices recommend disabling or removing all nonessential components and services." "If DCOM support is not required on your RPC over HTTP servers, you can remove DCOM support by modifying the registry. " "When you remove entries for port 593, you prevent DCOM from being used through the RPC over HTTP protocol, but RPC programs (like the Outlook 2003 client) are permitted to connect to the RPC server (Exchange 2003 Server) through RPC over HTTP." "When you use RPC over HTTP to remove DCOM support, you can help mitigate the vulnerabilities that are addressed in security bulletin MS03-026 for servers that expose RPC services over HTTP ports 80,443." I guess we're lucky we don't have SMB/Netbios over HTTP. Or is that WebDAV? :) -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Risks of RPC over HTTP James H Moore (Feb 15)
- <Possible follow-ups>
- Re: Risks of RPC over HTTP Jeff Kell (Feb 15)
- Re: Risks of RPC over HTTP Chris Green (Feb 15)
- Re: Risks of RPC over HTTP Gary Flynn (Feb 15)