Windows
使用 Windows 防火牆允許/阻止特定的 RPC 介面 UUID
是否可以使用 Windows 防火牆阻止/允許某些 RPC UUID?
例如,Active Directory 域控制器複製使用 RPC over TCP 通過drsuapi 和 dsaop RPC 伺服器進行,分別具有 UUID
e3514235-4b06-11d1-ab04-00c04fc2dcd2
和。7c44d7d4-31d5-424c-bd5e-2b3e1f323d22
我想創建一個規則,只允許來自域控制器的流量,也可能來自 IT 管理員子網。允許所有RPC 流量過於寬泛,因為這大大增加了攻擊面,因為 Windows 公開了許多其他 RPC 伺服器(例如 DCOM 或任務調度程序)。有什麼辦法可以限制這個級別的流量嗎?
是的,您可以使用
netsh rpc filter
命令執行此操作,但文件和範例很少。最好的文件是 netsh 幫助:netsh rpc 過濾器添加條件/?
Usage: add condition [field=]<string> [matchtype=]<string> [data=]<string> Parameters: Tag Value field - One of the following values: For layer = um if_uuid if_version if_flag dcom_app_id image_name protocol auth_type auth_level sec_encrypt_alg sec_key_size remote_user_token local_addr_v4 local_addr_v6 remote_addr_v4 remote_addr_v6 local_port pipe For layer = epmap if_uuid if_version protocol auth_type auth_level sec_encrypt_alg sec_key_size remote_user_token local_addr_v4 local_addr_v6 remote_addr_v4 remote_addr_v6 local_port pipe For layer = ep_add process_with_if_uuid protocol ep_value ep_flags For layer = proxy_conn server_name server_port proxy_auth_type client_token client_cert_key_name client_cert_oid For layer = proxy_if if_uuid if_version server_name server_port proxy_auth_type client_token client_cert_key_length client_cert_oid matchtype - One of the following values: equal greater less greater_or_equal less_or_equal range all_set any_set none_set data - Value associated with the field paramter. Remarks: Adds a condition to the RPC firewall rule. Examples: add condition field=if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 add condition field=protocol matchtype=equal data=ncacn_ip_tcp
netsh rpc 過濾器添加過濾器/?
Usage: add filter Remarks: Adds an RPC firewall filter. A rule and one or more conditions must be added before adding a filter. Example: add filter
netsh rpc 過濾器添加規則/?
Usage: add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>] [[persistence=]volatile] [[audit=]enable] Parameters: Tag Value layer - One of the following values: um epmap ep_add proxy_conn proxy_if actiontype - One of the following values: block permit continue persistence - Filter will be persistent. This is the default. filterkey - Uuid to uniquely identify the RPC firewall filter. audit - Enable auditing for this filter Only permit action type is allowed for audit rules. Audit rules are not allowed at ep_add layer. Remarks: Adds an RPC firewall filter rule. Examples: add rule layer=um actiontype=block add rule layer=epmap actiontype=permit filterkey=11111111-1111-1111-1111-111111111111
我在網上只找到了幾個例子,一個是這個 KB 文章,它的格式搞砸了,但我碰巧有一個格式化的快照:
這兩篇文章也有一些有趣的資訊:
https://docs.microsoft.com/en-us/windows/desktop/rpc/load-balancing-best-practices