RPC Interface Restriction

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion RPC Interface Restriction

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 weeks, 1 day ago.

  • Author
  • #2218


    Applies To:Windows Server 2003 with SP1
    What does RPC Interface Restriction do?
    A number of changes have been madein the Remote Procedure Call (RPC) servicefor Windows Server 2003 with Service
    Pack 1 that help make RPC interfaces secure by defaultand reducetheattack surface of Windows Server 2003.The most
    significant changeis theaddition of the RestrictRemoteClients registry key.This key enables you to modify the behavior of
    all RPC interfaces on thesystem and can be used to eliminateremoteanonymous access to RPC interfaces on thesystem, with
    someexceptions. Additional changes includethe EnableAuthEpResolution registry key and three new interfaceregistration
    Who does this feature apply to?
    This featureapplies to RPC application developers.System administrators should also befamiliar with this changeto RPC.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    RestrictRemoteClients Registry Key
    Detailed description
    When an interfaceis registered using RpcServerRegisterIf, RPC allows theserver application to restrictaccess to theinterface,
    typically through a security callback.The RestrictRemoteClients registry key forces RPC to perform additional security checks
    for all interfaces,even if theinterface has no registered security callback.
    RPC clients that usethe named pipe protocol sequence(ncacn_np) areexempt from all restrictions discussed in this section.
    The named pipe protocol sequencecannot berestricted dueto several significant backwards compatibility issues.
    The RestrictRemoteClients registry key can have one of three DWORD values that can also becontrolled programmatically in
    rpcdce.h. If thekey is not present, it is equivalent to setting the DWORD=0 value(RPC_RESTRICT_REMOTE_CLIENT_NONE) for
    server SKUs and DWORD=1 value(RPC_RESTRICT_REMOTE_CLIENT_AUTH) for clientSKUs.
    Thefollowing table provides a referenceto the RestrictRemoteClients registry key:
    Type Description
    Key name RestrictRemoteClients
    Type DWORD
    Yes.This key can beconfigured using the Group Policy ObjectEditor.
    Key values 0 (Default for server SKUs)
    This valueis the defaultvaluein Windows Server 2003 Service Pack 1 for Server SKUs. It causes thesystem to
    bypass the RPC interfacerestriction.This corresponds to thevalue RPC_RESTRICT_REMOTE_CLIENT_NONE in
    rpcdce.h. It is entirely theresponsibility of theserver application to imposeappropriate RPC restrictions.This
    setting is equivalent to the behavior in previous versions of Windows.
    This valueis the defaultvaluein Windows XP Service Pack 2 and clientSKUs built from theSRSP1 code base. It
    restricts access to all RPC interfaces. All remoteanonymous calls arerejected by the RPC runtimeexcept calls
    coming in through named pipes (ncacn_np).This corresponds to thevalue
    RPC_RESTRICT_REMOTE_CLIENT_DEFAULTin rpcdce.h. If an interfaceregisters a security callback and provides
    the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, then this restriction does notapply to that interface.
    All remoteanonymous calls arerejected by the RPC runtime with no exemptions.This corresponds to thevalue
    RPC_RESTRICT_REMOTE_CLIENT_HIGH in rpcdce.h.When this valueis set,a system cannot receiveremote
    anonymous calls using RPC.
    Why is this change important? What threats does it help mitigate?
    It is much more difficult to attack an interfaceif you requirecalls to perform authentication,even a relatively low level of
    authentication.Enabling RestrictRemoteClients can bea particularly useful mitigation against worms that rely on exploitable
    buffer overruns that can beinvoked remotely through anonymous connections.
    What works differently?
    If your RPC application expects to receivecalls from remoteanonymous RPC clients, using this feature might notallow your
    application to run correctly. As a result,applications that use DCOM might not work correctly if this valueis set.
    Becausesecure RPC calls over connectionless protocols such as User Datagram Protocol (UDP) and Internetwork Packet
    Exchange(IPX) (ncadq_ip_udp and ncadg_ipx) usea lower level of security than calls over connection-oriented protocols, these
    calls arealways considered nonsecurefor the purposes of this policy. As a result, RPC calls over connectionless protocols will
    fail if this key is enabled in Windows Server 2003 with Service Pack 1.
    To allow RPC client calls using connectionless protocols,keep the RestrictRemoteClients valueset to 0
    (RPC_RESTRICT_REMOTE_CLIENT_NONE), the default setting for Windows Server 2003 with Service Pack 1.
    How do I resolve these issues?
    Therearethefollowing options that may allow you to use RestrictRemoteClients on your server:
    Requireyour RPC clients to use RPC security when contacting your server application.This is the best method to mitigate
    security threats.
    Exemptyour interfacefrom requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag
    during interfaceregistration.This configures RPC to allow anonymous connections to only your application’s interface.
    EnableAuthEpResolution Registry Key
    Detailed description
    An RPC interfacethat is remotely and anonymously accessibleand is registered by default on Windows Server 2003 presents a
    significantattack surface. RPC itself must register such an interfaceto provideendpoint resolution for calls using dynamic
    If you enablethe RestrictRemoteClients flag, the RPC Endpoint Mapper interface will not beaccessibleanonymously.This is a
    significant security improvement, but it changes thetask of resolving an endpoint. Currently,an RPC client thatattempts to
    makea call using a dynamicendpoint will first query the RPC Endpoint Mapper on theserver to determine whatendpoint it
    should connect to.This query is performed anonymously,even if the RPC client call itself is performed using RPC security.
    Anonymous calls to the RPC Endpoint Mapper interface will fail on Windows Server 2003 with Service Pack 1 if the
    RestrictRemoteClients key is set to 1 or higher .This makes it necessary to modify the RPC client runtimeto perform an
    authenticated query to theEndpoint Mapper. If the EnableAuthEpResolution key is set, the RPC client runtime will use NTLM
    to authenticateto theendpoint mapper.This authenticated query will take place only if theactual RPC client call uses RPC
    Why is this change important?
    This changeenables an RPC client to makea call to an RPC server that has registered a dynamicendpoint on a system running
    Windows Server 2003 with Service Pack 1 with RestrictRemoteClients enabled.Theclient computer must set this registry
    key so that it will perform an authenticated query to the RPC Endpoint Mapper.
    What works differently?
    This registry key is used to enablethespecific scenario described in the previous section.When this key is turned on,all RPC
    Endpoint Mapper queries thatare performed on behalf of authenticated calls are performed using NTLM authentication.
    This setting can also bespecified using the Group Policy ObjectEditor to configurethe Group Policy object located in
    Computer Configuration\AdministrativeTemplates\System\Remote Procedure Call\RPC Endpoint Mapper Client
    New RPC Interface Registration Flags
    Detailed description
    Three new interfaceregistration flags have been created to makeiteasier for an application developer to securean RPC
    When this flag is registered, the RPC runtimeinvokes theregistered security callback for all calls, regardless of thecall
    security settings.Without this flag, RPC rejects all unauthenticated calls beforethey reach thesecurity callback.This flag
    works only when a security callback is registered.
    A security callback is registered for an interfacein order to restrictaccess to that interface.Thetypical security callback
    impersonates theclient to determine whether theclient has sufficient rights to makea call to theinterface. If a particular
    client identity passes a security callback once, it usually passes thesamesecurity callback every time.
    The RPC runtimetakes advantage of this pattern by remembering when an individual client identity passes a security
    callback and skips thesecurity callback for subsequent calls by that client to thesameinterface.This featureis called
    security callback caching and has existed sincethe Microsoft Windows 2000 family of operating systems.For
    Windows Server 2003 with Service Pack 1,you can usethe RPC_IF_SEC_NO_CACHE flag to disablesecurity callback
    caching for a given interface.This is useful if thesecurity check might change, possibly rejecting a client identity that was
    previously permitted.
    When an interfaceis registered with this flag, RPC rejects calls made by remote RPC clients. In addition, local calls over all
    ncadg_* protocol sequences and all ncacn_* protocol sequences (except for named pipes, using ncacn_np) arealso
    rejected. If a call is made onncacn_np, RPC allows thecall only if it does not comefrom SRV, which filters outall remote
    calls. Ncalrpc calls arealways allowed through.
    Why is this change important?
    This change provides RPC application developers with additional security tools to help securetheir RPC interface.
    What works differently?
    Theseflags will not changeany existing Windows Server 2003–based application or causeit not to run correctly.The use of
    these new flags is at the discretion of theapplication developer.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    RPC Settings
    Setting name Location Default
    Possible values
    RestrictRemoteClients HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows
    (Group Policy object)
    Computer Configuration\ AdministrativeTemplates\System\Remote
    Procedure Call\Restrictions for Unauthenticated RPC Clients
    0 0 – None
    1 – XP SP2 and SRSP1
    clientSKUs Default
    2 – High
    EnableAuthEpResolution HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows
    (Group Policy object)
    Computer Configuration\ AdministrativeTemplates\System\Remote
    Procedure Call\RPC Endpoint Mapper Client Authentication
    0 0 – Disabled
    1 – Enabled
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    You may need to changeyour codeto work with Windows Server 2003 Service Pack 1 if you decideto enable
    RestrictRemoteClients.For moreinformation aboutapplication changes that might berequired, seethe previous sections on
    RestrictRemoteClients and EnableAuthEpResolution.

You must be logged in to reply to this topic.