RPC Interface Restriction

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion RPC Interface Restriction

Viewing 0 reply threads
  • Author
    • #2218

      Applies To:Windows Server 2003 with SP1
      What does RPC Interface Restriction do?
      A number of changes have been madein the Remote Procedure Call (RPC) servicefor Windows Server 2003 with Service
      Pack 1 that help make RPC interfaces secure by defaultand reducetheattack surface of Windows Server 2003.The most
      significant changeis theaddition of the RestrictRemoteClients registry key.This key enables you to modify the behavior of
      all RPC interfaces on thesystem and can be used to eliminateremoteanonymous access to RPC interfaces on thesystem, with
      someexceptions. Additional changes includethe EnableAuthEpResolution registry key and three new interfaceregistration
      Who does this feature apply to?
      This featureapplies to RPC application developers.System administrators should also befamiliar with this changeto RPC.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      RestrictRemoteClients Registry Key
      Detailed description
      When an interfaceis registered using RpcServerRegisterIf, RPC allows theserver application to restrictaccess to theinterface,
      typically through a security callback.The RestrictRemoteClients registry key forces RPC to perform additional security checks
      for all interfaces,even if theinterface has no registered security callback.
      RPC clients that usethe named pipe protocol sequence(ncacn_np) areexempt from all restrictions discussed in this section.
      The named pipe protocol sequencecannot berestricted dueto several significant backwards compatibility issues.
      The RestrictRemoteClients registry key can have one of three DWORD values that can also becontrolled programmatically in
      rpcdce.h. If thekey is not present, it is equivalent to setting the DWORD=0 value(RPC_RESTRICT_REMOTE_CLIENT_NONE) for
      server SKUs and DWORD=1 value(RPC_RESTRICT_REMOTE_CLIENT_AUTH) for clientSKUs.
      Thefollowing table provides a referenceto the RestrictRemoteClients registry key:
      Type Description
      Key name RestrictRemoteClients
      Type DWORD
      Yes.This key can beconfigured using the Group Policy ObjectEditor.
      Key values 0 (Default for server SKUs)
      This valueis the defaultvaluein Windows Server 2003 Service Pack 1 for Server SKUs. It causes thesystem to
      bypass the RPC interfacerestriction.This corresponds to thevalue RPC_RESTRICT_REMOTE_CLIENT_NONE in
      rpcdce.h. It is entirely theresponsibility of theserver application to imposeappropriate RPC restrictions.This
      setting is equivalent to the behavior in previous versions of Windows.
      This valueis the defaultvaluein Windows XP Service Pack 2 and clientSKUs built from theSRSP1 code base. It
      restricts access to all RPC interfaces. All remoteanonymous calls arerejected by the RPC runtimeexcept calls
      coming in through named pipes (ncacn_np).This corresponds to thevalue
      RPC_RESTRICT_REMOTE_CLIENT_DEFAULTin rpcdce.h. If an interfaceregisters a security callback and provides
      the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, then this restriction does notapply to that interface.
      All remoteanonymous calls arerejected by the RPC runtime with no exemptions.This corresponds to thevalue
      RPC_RESTRICT_REMOTE_CLIENT_HIGH in rpcdce.h.When this valueis set,a system cannot receiveremote
      anonymous calls using RPC.
      Why is this change important? What threats does it help mitigate?
      It is much more difficult to attack an interfaceif you requirecalls to perform authentication,even a relatively low level of
      authentication.Enabling RestrictRemoteClients can bea particularly useful mitigation against worms that rely on exploitable
      buffer overruns that can beinvoked remotely through anonymous connections.
      What works differently?
      If your RPC application expects to receivecalls from remoteanonymous RPC clients, using this feature might notallow your
      application to run correctly. As a result,applications that use DCOM might not work correctly if this valueis set.
      Becausesecure RPC calls over connectionless protocols such as User Datagram Protocol (UDP) and Internetwork Packet
      Exchange(IPX) (ncadq_ip_udp and ncadg_ipx) usea lower level of security than calls over connection-oriented protocols, these
      calls arealways considered nonsecurefor the purposes of this policy. As a result, RPC calls over connectionless protocols will
      fail if this key is enabled in Windows Server 2003 with Service Pack 1.
      To allow RPC client calls using connectionless protocols,keep the RestrictRemoteClients valueset to 0
      (RPC_RESTRICT_REMOTE_CLIENT_NONE), the default setting for Windows Server 2003 with Service Pack 1.
      How do I resolve these issues?
      Therearethefollowing options that may allow you to use RestrictRemoteClients on your server:
      Requireyour RPC clients to use RPC security when contacting your server application.This is the best method to mitigate
      security threats.
      Exemptyour interfacefrom requiring authentication by setting the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag
      during interfaceregistration.This configures RPC to allow anonymous connections to only your application’s interface.
      EnableAuthEpResolution Registry Key
      Detailed description
      An RPC interfacethat is remotely and anonymously accessibleand is registered by default on Windows Server 2003 presents a
      significantattack surface. RPC itself must register such an interfaceto provideendpoint resolution for calls using dynamic
      If you enablethe RestrictRemoteClients flag, the RPC Endpoint Mapper interface will not beaccessibleanonymously.This is a
      significant security improvement, but it changes thetask of resolving an endpoint. Currently,an RPC client thatattempts to
      makea call using a dynamicendpoint will first query the RPC Endpoint Mapper on theserver to determine whatendpoint it
      should connect to.This query is performed anonymously,even if the RPC client call itself is performed using RPC security.
      Anonymous calls to the RPC Endpoint Mapper interface will fail on Windows Server 2003 with Service Pack 1 if the
      RestrictRemoteClients key is set to 1 or higher .This makes it necessary to modify the RPC client runtimeto perform an
      authenticated query to theEndpoint Mapper. If the EnableAuthEpResolution key is set, the RPC client runtime will use NTLM
      to authenticateto theendpoint mapper.This authenticated query will take place only if theactual RPC client call uses RPC
      Why is this change important?
      This changeenables an RPC client to makea call to an RPC server that has registered a dynamicendpoint on a system running
      Windows Server 2003 with Service Pack 1 with RestrictRemoteClients enabled.Theclient computer must set this registry
      key so that it will perform an authenticated query to the RPC Endpoint Mapper.
      What works differently?
      This registry key is used to enablethespecific scenario described in the previous section.When this key is turned on,all RPC
      Endpoint Mapper queries thatare performed on behalf of authenticated calls are performed using NTLM authentication.
      This setting can also bespecified using the Group Policy ObjectEditor to configurethe Group Policy object located in
      Computer Configuration\AdministrativeTemplates\System\Remote Procedure Call\RPC Endpoint Mapper Client
      New RPC Interface Registration Flags
      Detailed description
      Three new interfaceregistration flags have been created to makeiteasier for an application developer to securean RPC
      When this flag is registered, the RPC runtimeinvokes theregistered security callback for all calls, regardless of thecall
      security settings.Without this flag, RPC rejects all unauthenticated calls beforethey reach thesecurity callback.This flag
      works only when a security callback is registered.
      A security callback is registered for an interfacein order to restrictaccess to that interface.Thetypical security callback
      impersonates theclient to determine whether theclient has sufficient rights to makea call to theinterface. If a particular
      client identity passes a security callback once, it usually passes thesamesecurity callback every time.
      The RPC runtimetakes advantage of this pattern by remembering when an individual client identity passes a security
      callback and skips thesecurity callback for subsequent calls by that client to thesameinterface.This featureis called
      security callback caching and has existed sincethe Microsoft Windows 2000 family of operating systems.For
      Windows Server 2003 with Service Pack 1,you can usethe RPC_IF_SEC_NO_CACHE flag to disablesecurity callback
      caching for a given interface.This is useful if thesecurity check might change, possibly rejecting a client identity that was
      previously permitted.
      When an interfaceis registered with this flag, RPC rejects calls made by remote RPC clients. In addition, local calls over all
      ncadg_* protocol sequences and all ncacn_* protocol sequences (except for named pipes, using ncacn_np) arealso
      rejected. If a call is made onncacn_np, RPC allows thecall only if it does not comefrom SRV, which filters outall remote
      calls. Ncalrpc calls arealways allowed through.
      Why is this change important?
      This change provides RPC application developers with additional security tools to help securetheir RPC interface.
      What works differently?
      Theseflags will not changeany existing Windows Server 2003–based application or causeit not to run correctly.The use of
      these new flags is at the discretion of theapplication developer.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      RPC Settings
      Setting name Location Default
      Possible values
      RestrictRemoteClients HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows
      (Group Policy object)
      Computer Configuration\ AdministrativeTemplates\System\Remote
      Procedure Call\Restrictions for Unauthenticated RPC Clients
      0 0 – None
      1 – XP SP2 and SRSP1
      clientSKUs Default
      2 – High
      EnableAuthEpResolution HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows
      (Group Policy object)
      Computer Configuration\ AdministrativeTemplates\System\Remote
      Procedure Call\RPC Endpoint Mapper Client Authentication
      0 0 – Disabled
      1 – Enabled
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      You may need to changeyour codeto work with Windows Server 2003 Service Pack 1 if you decideto enable
      RestrictRemoteClients.For moreinformation aboutapplication changes that might berequired, seethe previous sections on
      RestrictRemoteClients and EnableAuthEpResolution.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.