Hi Denis,
There is actually another parameter we can use on Samba "rpc server
port" which controls which port different protocols can bind on. I know
that it works for netlogon as this was used for making it possible to
multi-process. Presumably replication could also be restricted to a
particular port across the domain. This doesn't prevent transport over
SMB though currently, so unless you also block SMB it doesn't actually
mean DRS is disabled. The other issue is that there are other calls on
the DRSUAPI pipe which aren't specifically involved with replication
like CrackNames. These calls are done regularly by clients to transform
group names and account names, so blocking this particular service may
disable other features. What you possibly want is some kind of
fine-grained filtering based on function name (or ID).
The EPMAPPER DCERPC pipe broadcasts a lot of this meta-information (so
certain parts can be dynamic, or fixed statically), so some more reading
about that particular part of the protocol specification might be
helpful. When doing RPC, a connection to this pipe is normally done
beforehand.
Cheers,
Garming
On 21/12/17 04:57, Denis Cardon via samba wrote:> Hi everyone,
>
> I get more and more questions from security minded clients about
> MS-RPC and the dynamic RPC port range. The default range is quite
> wide, and while it can be configured and reduced through the "rpc
> server dynamic port range" parameter since 4.7.0, it still get
> network/firewall/security people nervous.
>
> Digging further into that subject, after some more reading and
> tcpdump'ing, I started to do some test blocking the dynamic range for
> a few workstations, and I didn't had the users yelling back at me. On
> the other hand some administrative tasks like AD replication, remote
> server management in compmgmt.msc do really need those ports
> accessible. But for a standard use of workstation, I didn't get any
> issues so far (for our internal use case).
>
> I was also wondering what are the common points and the differences
> between LSARPC, RPC over SMB, and MS-RPC/DCE-RPC:
>
> * is MS-RPC the default standard for RPC transport (port 135 + dynamic
> range)
>
> * is RPC over SMB / named pipes considered legacy (port 445 and 139 if
> netbios enabled)
>
> * is there some application that choose LSARPC, SMBRPC or MS-RPC by
> default
>
> * is it interchangeable, that is to say, are all MS-RPC endpoint also
> callable through SMBRPC / named pipes and the other way around?
>
> * is it possible to have fallback on SMBRPC (named pipes) if MS-RPC is
> not available
>
> Documentation on Microsoft RPC is not the easiest to navigate through,
> so bear with me if my questions are too basic.
>
> My first aim would be able to avoid the need for such a big range from
> the server vlan to the other desktops vlan. The second need would be
> to restrict the replication partners for DRS through firewalling.
>
> Cheers,
>
> Denis