Educause Security Discussion mailing list archives

Re: Risks of RPC over HTTP

From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 15 Feb 2006 12:00:51 -0500

James H Moore wrote:

- - - -
Our technical infrastructure has "turned it on".  I am left with trying
to find out to see what controls need to be in place.  Best practices,
Opinions, References welcome.


This article seems to suggest that DCOM access through RPC over HTTP
can be disabled even when Exchange functionality is desired which
would seem to reduce the exposure.

"On computers that are running Windows Server 2003, RPC over
 HTTP is required for Microsoft Exchange Server 2003 and for
 Microsoft Office System if Microsoft Office Outlook 2003 has
 been configured to use RPC over HTTP for checking corporate
 e-mail. Disabling or removing RPC over HTTP will prevent
 Office Outlook 2003 clients from connecting to their mailboxes
 by using RPC over HTTP. If you require RPC over HTTP
 functionality in your environment, you may want to disable
 DCOM instead of RPC over HTTP."

http://support.microsoft.com/default.aspx?scid=kb;en-us;825819

And then,

http://support.microsoft.com/default.aspx?kbid=826382

"By default, a server running Windows Server that is configured
 to support RPC over HTTP will also accept DCOM requests using
 this protocol. These DCOM requests are then sent to a local
 port on the server implementing RPC over HTTP (TCP port 593).
 Security best practices recommend disabling or removing all
 nonessential components and services."

"If DCOM support is not required on your RPC over HTTP servers, you
 can remove DCOM support by modifying the registry. "

"When you remove entries for port 593, you prevent DCOM from being
 used through the RPC over HTTP protocol, but RPC programs (like
 the Outlook 2003 client) are permitted to connect to the RPC
 server (Exchange 2003 Server) through RPC over HTTP."

"When you use RPC over HTTP to remove DCOM support, you can help
 mitigate the vulnerabilities that are addressed in security
 bulletin MS03-026 for servers that expose RPC services over HTTP
 ports 80,443."



I guess we're lucky we don't have SMB/Netbios over HTTP.
Or is that WebDAV? :)


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Risks of RPC over HTTP James H Moore (Feb 15)
- <Possible follow-ups>
- Re: Risks of RPC over HTTP Jeff Kell (Feb 15)
- Re: Risks of RPC over HTTP Chris Green (Feb 15)
- Re: Risks of RPC over HTTP Gary Flynn (Feb 15)