How configure Windows Firewall to restrict access to RPC dynamic TCP ports, allowing only trusted hosts to connect

Description

The article Mitigating .NET remoting vulnerabilities on Enterprise Vault servers contains advice on firewall configuration to protect Enterprise Vault (EV) servers from being exploited by attackers using the vulnerability.  This article will show an example Windows Firewall configuration that can limit access to RPC dynamic TCP ports to trusted hosts.

Example Windows Firewall Configuration

Windows Firewall has some built-in port and port range definitions that make the configuration straight forward for RPC-related ports. There are two rules that will be needed to open ports for inbound RPC connections.  One for RPC Endpoint Mapper and one for RPC Dynamic Ports. The rules each have a scope that can restrict access to a list of remote IP addresses.

The first step is to make a list of IP addresses that are allowed.  This list should include:

• Enterprise Vault servers in the environment
• Content source servers that have EV components installed, like File servers (with FSA agent) and SharePoint servers
• eDiscovery and Surveillance servers (formerly called Compliance Accelerator and Discovery Accelerator)
• Integrations that use the ECM API:  eDiscovery Platform (eDP) servers, Merge1 servers, Migrate servers, Transvault, etc.
• Remote computers that need to connect with a standalone Vault Admin Console (VAC)
• Any non-EV-related hosts that need to connect via DCOM/RPC to the EV server -- i.e., machines for remote administration of Windows (DCOM)

In this example, our  list of IP addresses is:

• 192.168.1.180
• 192.168.1.181

Note: Instead of allowing a list of specific IPs, IP ranges or subnets can be used.  That way could be easier if the range or subnet exclusively contains hosts needing RPC/DCOM access. See the Windows Firewall documentation for the -RemoteAddress parameter of New-NetFirewallRule or Set-NetFirewallRule

This list of IPs (or subnets, or IP ranges) is used for the Scope of the firewall rule, Remote IP addresses:

Fig 1: Scope tab of the rule definition.

These PowerShell commands can create the needed rules for the Domain profile:

New-NetFirewallRule -Name "DCOM-Activation" -Description "Inbound rule to allow remote DCOM activation via RPCSS service" -DisplayName "DCOM activation" -Enabled:True -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort RPCEPMap -Service RPCSS -RemoteAddress 192.168.1.182,192.168.1.181

New-NetFirewallRule -Name "DCOM-Call" -Description "Inbound rule to allow remote DCOM calls" -DisplayName "DCOM calls" -Enabled:True -Profile Domain -Direction Inbound -Action Allow -Protocol TCP -LocalPort RPC -RemoteAddress 192.168.1.182,192.168.1.181

The New-NetFirewallRule command is used when existing rules don't yet exist.  Existing rules can be updated with:

Get-NetFirewallRule [RuleName] | Set-NetFirewallRule -RemoteAddress 192.168.1.182,192.168.1.181

After creating or updating the rules, it should look similar to the image below when viewing the firewall user interface (UI):

Fig 2: Firewall UI showing the created rules.  The Remote Address is populated and Local Port shows RPC Endpoint Mapper and RPC Dynamic Ports (respectively)