RPC Interface Restriction

Applies To:Windows Server 2003 with SP1
What does RPC Interface Restriction do?
A number of changes have been madein the Remote Procedure Call (RPC) servicefor Windows Server 2003 with Service
Pack 1 that help make RPC interfaces secure by defaultand reducetheattack surface of Windows Server 2003.The most
significant changeis theaddition of the RestrictRemoteClients registry key.This key enables you to modify the behavior of
all RPC interfaces on thesystem and can be used to eliminateremoteanonymous access to RPC interfaces on thesystem, with
someexceptions. Additional changes includethe EnableAuthEpResolution registry key and three new interfaceregistration
flags.
Who does this feature apply to?
This featureapplies to RPC application developers.System administrators should also befamiliar with this changeto RPC.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
RestrictRemoteClients Registry Key
Detailed description
When an interfaceis registered using RpcServerRegisterIf, RPC allows theserver application to restrictaccess to theinterface,
typically through a security callback.The RestrictRemoteClients registry key forces RPC to perform additional security checks
for all interfaces,even if theinterface has no registered security callback.
RPC clients that usethe named pipe protocol sequence(ncacn_np) areexempt from all restrictions discussed in this section.
The named pipe protocol sequencecannot berestricted dueto several significant backwards compatibility issues.
The RestrictRemoteClients registry key can have one of three DWORD values that can also becontrolled programmatically in
rpcdce.h. If thekey is not present, it is equivalent to setting the DWORD=0 value(RPC_RESTRICT_REMOTE_CLIENT_NONE) for
server SKUs and DWORD=1 value(RPC_RESTRICT_REMOTE_CLIENT_AUTH) for clientSKUs.
Thefollowing table provides a referenceto the RestrictRemoteClients registry key:
Type Description
Key name RestrictRemoteClients
Type DWORD
Configurable
through
User
Interface
Yes.This key can beconfigured using the Group Policy ObjectEditor.
Key values 0 (Default for server SKUs)
This valueis the defaultvaluein Windows Server 2003 Service Pack 1 for Server SKUs. It causes thesystem to
bypass the RPC interfacerestriction.This corresponds to thevalue RPC_RESTRICT_REMOTE_CLIENT_NONE in
rpcdce.h. It is entirely theresponsibility of theserver application to imposeappropriate RPC restrictions.This
setting is equivalent to the behavior in previous versions of Windows.
1
This valueis the defaultvaluein Windows XP Service Pack 2 and clientSKUs built from theSRSP1 code base. It
restricts access to all RPC interfaces. All remoteanonymous calls arerejected by the RPC runtimeexcept calls
coming in through named pipes (ncacn_np).This corresponds to thevalue
RPC_RESTRICT_REMOTE_CLIENT_DEFAULTin rpcdce.h. If an interfaceregisters a security callback and provides
the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, then this restriction does notapply to that interface.
2
All remoteanonymous calls arerejected by the RPC runtime with no exemptions.This corresponds to thevalue
RPC_RESTRICT_REMOTE_CLIENT_HIGH in rpcdce.h.When this valueis set,a system cannot receiveremote
anonymous calls using RPC.
Why is this change important? What threats does it help mitigate?
It is much more difficult to attack an interfaceif you requirecalls to perform authentication,even a relatively low level of
authentication.Enabling RestrictRemoteClients can bea particularly useful mitigation against worms that rely on exploitable
buffer overruns that can beinvoked remotely through anonymous connections.
What works differently?
If your RPC application expects to receivecalls from remoteanonymous RPC clients, using this feature might notallow your
application to run correctly. As a result,applications that use DCOM might not work correctly if this valueis set.
Becausesecure RPC calls over connectionless protocols such as User Datagram Protocol (UDP) and Internetwork Packet
Exchange(IPX) (ncadq_ip_udp and ncadg_ipx) usea lower level of security than calls over connection-oriented protocols, these
calls arealways considered nonsecurefor the purposes of this policy. As a result, RPC calls over connectionless protocols will
fail if this key is enabled in Windows Server 2003 with Service Pack 1.
To allow RPC client calls using connectionless protocols,keep the RestrictRemoteClients valueset to 0
(RPC_RESTRICT_REMOTE_CLIENT_NONE), the default setting for Windows Server 2003 with Service Pack 1.
How do I resolve these issues?
Therearethefollowing options that may allow you to use RestrictRemoteClients on your server:
Requireyour RPC clients to use RPC security when contacting your server application.This is the best method to mitigate
security threats.
Exemptyour interfacefrom requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag
during interfaceregistration.This configures RPC to allow anonymous connections to only your application’s interface.
EnableAuthEpResolution Registry Key
Detailed description
An RPC interfacethat is remotely and anonymously accessibleand is registered by default on Windows Server 2003 presents a
significantattack surface. RPC itself must register such an interfaceto provideendpoint resolution for calls using dynamic
endpoints.
If you enablethe RestrictRemoteClients flag, the RPC Endpoint Mapper interface will not beaccessibleanonymously.This is a
significant security improvement, but it changes thetask of resolving an endpoint. Currently,an RPC client thatattempts to
makea call using a dynamicendpoint will first query the RPC Endpoint Mapper on theserver to determine whatendpoint it
should connect to.This query is performed anonymously,even if the RPC client call itself is performed using RPC security.
Anonymous calls to the RPC Endpoint Mapper interface will fail on Windows Server 2003 with Service Pack 1 if the
RestrictRemoteClients key is set to 1 or higher .This makes it necessary to modify the RPC client runtimeto perform an
authenticated query to theEndpoint Mapper. If the EnableAuthEpResolution key is set, the RPC client runtime will use NTLM
to authenticateto theendpoint mapper.This authenticated query will take place only if theactual RPC client call uses RPC
authentication.
Why is this change important?
This changeenables an RPC client to makea call to an RPC server that has registered a dynamicendpoint on a system running
Windows Server 2003 with Service Pack 1 with RestrictRemoteClients enabled.Theclient computer must set this registry
key so that it will perform an authenticated query to the RPC Endpoint Mapper.
What works differently?
This registry key is used to enablethespecific scenario described in the previous section.When this key is turned on,all RPC
Endpoint Mapper queries thatare performed on behalf of authenticated calls are performed using NTLM authentication.
This setting can also bespecified using the Group Policy ObjectEditor to configurethe Group Policy object located in
Computer Configuration\AdministrativeTemplates\System\Remote Procedure Call\RPC Endpoint Mapper Client
Authentication.
New RPC Interface Registration Flags
Detailed description
Three new interfaceregistration flags have been created to makeiteasier for an application developer to securean RPC
interface.
RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH
When this flag is registered, the RPC runtimeinvokes theregistered security callback for all calls, regardless of thecall
security settings.Without this flag, RPC rejects all unauthenticated calls beforethey reach thesecurity callback.This flag
works only when a security callback is registered.
RPC_IF_SEC_NO_CACHE
A security callback is registered for an interfacein order to restrictaccess to that interface.Thetypical security callback
impersonates theclient to determine whether theclient has sufficient rights to makea call to theinterface. If a particular
client identity passes a security callback once, it usually passes thesamesecurity callback every time.
The RPC runtimetakes advantage of this pattern by remembering when an individual client identity passes a security
callback and skips thesecurity callback for subsequent calls by that client to thesameinterface.This featureis called
security callback caching and has existed sincethe Microsoft Windows 2000 family of operating systems.For
Windows Server 2003 with Service Pack 1,you can usethe RPC_IF_SEC_NO_CACHE flag to disablesecurity callback
caching for a given interface.This is useful if thesecurity check might change, possibly rejecting a client identity that was
previously permitted.
RPC_IF_LOCAL_ONLY
When an interfaceis registered with this flag, RPC rejects calls made by remote RPC clients. In addition, local calls over all
ncadg_* protocol sequences and all ncacn_* protocol sequences (except for named pipes, using ncacn_np) arealso
rejected. If a call is made onncacn_np, RPC allows thecall only if it does not comefrom SRV, which filters outall remote
calls. Ncalrpc calls arealways allowed through.
Why is this change important?
This change provides RPC application developers with additional security tools to help securetheir RPC interface.
What works differently?
Theseflags will not changeany existing Windows Server 2003–based application or causeit not to run correctly.The use of
these new flags is at the discretion of theapplication developer.
What settings are added or changed in Windows Server 2003 Service Pack 1?
RPC Settings
Setting name Location Default
value
Possible values
RestrictRemoteClients HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows
NT\RPC
-or-
(Group Policy object)
Computer Configuration\ AdministrativeTemplates\System\Remote
Procedure Call\Restrictions for Unauthenticated RPC Clients
0 0 – None
1 – XP SP2 and SRSP1
clientSKUs Default
2 – High
EnableAuthEpResolution HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows
NT\RPC
-or-
(Group Policy object)
Computer Configuration\ AdministrativeTemplates\System\Remote
Procedure Call\RPC Endpoint Mapper Client Authentication
0 0 – Disabled
1 – Enabled
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
You may need to changeyour codeto work with Windows Server 2003 Service Pack 1 if you decideto enable
RestrictRemoteClients.For moreinformation aboutapplication changes that might berequired, seethe previous sections on
RestrictRemoteClients and EnableAuthEpResolution.