Mitigating .NET remoting vulnerabilities on Enterprise Vault servers

Description

This article provides mitigation steps to address .NET Remoting vulnerabilities in environments where Enterprise Vault is deployed. It outlines firewall configuration, best practices, and access control recommendations to minimize exposure to potential threats.

Mitigation for Enterprise Vault

To mitigate the .NET Remoting vulnerabilities, configure the firewall appropriately in the network(s) where the Enterprise Vault servers and clients reside. The essential part of the mitigation is tightly controlling access to Microsoft RPC dynamic TCP ports on EV servers. Follow the guidelines below for configuring the network: 

Network isolation

• Ensure network isolation between the Enterprise Vault servers, the servers with which they communicate, and the Enterprise Vault client workstations. The Windows firewall (or other firewall) protecting Enterprise Vault servers should only allow RPC dynamic port access from trusted servers (or other hosts) with which they communicate.  
  • Ensure that Enterprise Vault clients (in the client network segment) access only the Enterprise Vault servers over port 80 or 443 for HTTP/s traffic.
  • Configure each Enterprise Vault server such that only the necessary ports are open, and access is allowed only from specific servers within its network segment.
• For an example of how to configure Windows Firewall to restrict access to the RPC dynamic ports to allowed hosts only, refer to this article.
• To learn about the target processes and ports used by the Enterprise Vault server and associated servers, refer to this article. 
• To learn about the destination ports required by the Enterprise Vault server, refer to this article.
• If you have File System Archiving (FSA) in your environment, refer to this article for information on how to configure a firewall for FSA.
• The diagram below helps you to visualize the network configuration described so far:

Fig 1:Network segment 1 for end user machines and network segment 2 for EV and other servers. Segment 2 shows firewalls protecting the EV servers, to allow only trusted hosts to connect to Windows dynamic RPC ports.

• Optionally, narrow down the RPC dynamic port range on Enterprise Vault servers. This can make firewall configuration easier to manage.  Refer to:
  • https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-rpc-dynamic-port-allocation-with-firewalls
  • https://support.microsoft.com/en-us/topic/how-to-configure-rpc-to-use-certain-ports-and-how-to-help-secure-those-ports-by-using-ipsec-2a94b798-063a-479a-8452-9cf07ac613d9
• Ensure that only Enterprise Vault administrators have access to the Enterprise Vault servers as described in the Enterprise Vault Administrator’s Guide.
  • See Managing Administrator Security.
• For other servers in this network segment, ensure that only trusted users have RDP access.  Only trusted users should be part of the Remote Desktop Users group.

Ensure that the latest Windows updates have been installed on the Enterprise Vault server.

Mitigation for eDiscovery (formerly Discovery Accelerator) and Arctera Surveillance (formerly Compliance Accelerator)

The eDiscovery/Discovery Accelerator and Arctera Surveillance/Compliance Accelerator servers can be protected from such .NET Remoting attacks by applying the following guidelines:

• Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the respective servers. 
• On client machines, allow only legitimate eDiscovery/Discovery Accelerator or Arctera Surveillance/Compliance Accelerator users to log on.
• Ensure that the firewall is enabled and properly configured to block all incoming traffic on ports 8085 and 8086 from all machines, except for those where the client applications are installed.