Mitigating .NET remoting vulnerabilities on Enterprise Vault servers

Description

This article provides mitigation steps to address .NET Remoting vulnerabilities in environments where Enterprise Vault is deployed. It outlines firewall configuration, best practices, and access control recommendations to minimize exposure to potential threats.

Mitigation for Enterprise Vault

To mitigate the .NET Remoting vulnerabilities, configure the firewall appropriately in the network where the Enterprise Vault servers and/or clients reside. Follow the guidelines below for configuring the firewall: 

Network isolation

• Ensure network isolation between the Enterprise Vault servers, the servers with which they communicate, and the Enterprise Vault Clients installed on users’ workstations. The Enterprise Vault servers and the servers with which they communicate can be put in a separate network segment, and appropriate firewall restrictions should be put between these two network segments.  
  • Ensure that Enterprise Vault clients (in the client network segment) access only the Enterprise Vault servers over port 80 or 443 for HTTP/s traffic.
  • Configure each Enterprise Vault server such that only the necessary ports are open, and access is allowed only from specific servers within its network segment.
• To learn about the target processes and ports used by the Enterprise Vault server and associated servers, refer to this. 
• To learn about the destination ports required by the Enterprise Vault server, refer to this.
• If you have File System Archiving (FSA) in your environment, refer to this for information on how to configure a firewall for FSA.
• The diagram below helps you to visualize the network configuration described so far:
  
• Optionally, narrow down the RPC dynamic port range on Enterprise Vault servers. This allows the firewall to restrict access to a specific range and block all other ports from external sources.  Refer to:
  • https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls
  • https://support.microsoft.com/en-us/topic/how-to-configure-rpc-to-use-certain-ports-and-how-to-help-secure-those-ports-by-using-ipsec-2a94b798-063a-479a-8452-9cf07ac613d9
• Ensure that only Enterprise Vault administrators have access to the Enterprise Vault servers as described in the Enterprise Vault Administrator’s Guide.
  • See Managing Administrator Security.
• For other servers in this network segment, ensure that only trusted users have RDP access.  Only trusted users should be part of the Remote Desktop Users group.

Ensure that the latest Windows updates have been installed on the Enterprise Vault server.

Mitigation for eDiscovery (formerly Discovery Accelerator) and Arctera Surveillance (formerly Compliance Accelerator)

The eDiscovery/Discovery Accelerator and Arctera Surveillance/Compliance Accelerator servers can be protected from such .NET Remoting attacks by applying the following guidelines:

• Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the respective servers. 
• On client machines, allow only legitimate eDiscovery/Discovery Accelerator or Arctera Surveillance/Compliance Accelerator users to log on.
• Ensure that the firewall is enabled and properly configured to block all incoming traffic on ports 8085 and 8086 from all machines, except for those where the client applications are installed.