Nmap Development mailing list archives

Re: RPC over HTTP

From: Alan Jones <asj () ipa net>
Date: Sun, 06 Mar 2005 11:07:16 -0600

On Mar 05 2005  Martin Maèok wrote:

>
>On Fri, Mar 04, 2005 at 09:16:51PM -0500, Jon-Erik wrote:

>(By the way, the whole concept of RPC over HTTP seems rather silly to me
>- first we realize that Microsoft's RPC protocols are insecure so we
>set up our firewalls to block them in and out of our house ...
>then Microsoft realizes we are blocking them so they start
>tunneling it through http so they can traverse the net again - and
>they even call it "security"! It also reminds me of the
>virus/antivirus culture ;-)

/>> This is a realtively new thing /

>This MAPI might be new but the RPC over HTTP procol itself is not that
>hot ...

Ok I am confused about this. Are you saying that RPC over HTTP is notreally being pushed and implemented? Every MS Exchange person I talk tothese days has that as something they have recently done or are wantingto do as soon as they get to Exchange 2003 and Outlook 2003 rolled out.

The Microsoft Reps also push RPC over HTTP as a way to get aroundproblems. "No more having to mess with VPN issues and teaching you endusers how to connect to the VPN just for e-mail".

This is not just where I work, but other places. People that claim tobe interested in security say it is a "filtered" when it goes thoughHTTP so no worries. I am not sure I buy this, but don't have anyknowledge one way or another.

From a security perspective I really questioned RPC over HTTP when theyimplemented it where I work. They challenged me to find any stronginformation security issues with it. At the time of my search the onlyarticles of concern I could find all talked about theory and were beforeExchange 2003 was released so that did not really help much.

I think there could be some advantages detecting RPC over HTTP from botha version detection perspective. You know the OS is Windows 2003 and theMail Server is Exchange 2003 or greater. It would be a much strongerversion number then saying it could be any Windows server all the wayback to NT. This would also be helpful from a scanning perspective ifthere were some firm security holes in RPC over HTTP discovered so thatone could scan a range and say hey you need to fix this.


just my random rant after dealing with this in my own organization.

Alan






---------------------------------------------------------------------

For help using this (nmap-dev) mailing list, send a blank email tonmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

RPC over HTTP Jon-Erik (Mar 03)
- Re: RPC over HTTP Martin Mačok (Mar 03)
- <Possible follow-ups>
- Re: RPC over HTTP Jon-Erik (Mar 04)
  - Re: RPC over HTTP Martin Mačok (Mar 04)
- Re: RPC over HTTP Jon-Erik (Mar 04)
  - Re: RPC over HTTP (ncacn_http) Martin Mačok (Mar 05)
- Re: RPC over HTTP Alan Jones (Mar 06)
  - Re: RPC over HTTP Martin Mačok (Mar 07)
- Re: RPC over HTTP Jon-Erik (Mar 06)