使用 Windows 防火牆允許/阻止特定的 RPC 介面 UUID

July 3, 2019

是否可以使用 Windows 防火牆阻止/允許某些 RPC UUID？
例如，Active Directory 域控制器複製使用 RPC over TCP 通過drsuapi 和 dsaop RPC 伺服器進行，分別具有 UUIDe3514235-4b06-11d1-ab04-00c04fc2dcd2和。7c44d7d4-31d5-424c-bd5e-2b3e1f323d22我想創建一個規則，只允許來自域控制器的流量，也可能來自 IT 管理員子網。允許所有RPC 流量過於寬泛，因為這大大增加了攻擊面，因為 Windows 公開了許多其他 RPC 伺服器（例如 DCOM 或任務調度程序）。有什麼辦法可以限制這個級別的流量嗎？

是的，您可以使用netsh rpc filter命令執行此操作，但文件和範例很少。最好的文件是 netsh 幫助：

netsh rpc 過濾器添加條件/？

Usage: add condition [field=]&lt;string&gt; [matchtype=]&lt;string&gt; [data=]&lt;string&gt;

Parameters:

      Tag           Value
      field       - One of the following values:
                    For layer = um
                        if_uuid if_version if_flag dcom_app_id image_name
                        protocol auth_type auth_level sec_encrypt_alg
                        sec_key_size remote_user_token local_addr_v4
                        local_addr_v6 remote_addr_v4 remote_addr_v6
                        local_port pipe
                    For layer = epmap
                        if_uuid if_version protocol auth_type auth_level
                        sec_encrypt_alg sec_key_size remote_user_token
                        local_addr_v4 local_addr_v6 remote_addr_v4
                        remote_addr_v6 local_port pipe
                    For layer = ep_add
                        process_with_if_uuid protocol ep_value ep_flags
                    For layer = proxy_conn
                        server_name server_port proxy_auth_type
                        client_token client_cert_key_name client_cert_oid
                    For layer = proxy_if
                        if_uuid if_version server_name server_port
                        proxy_auth_type client_token client_cert_key_length
                        client_cert_oid
      matchtype   - One of the following values:
                    equal
                    greater
                    less
                    greater_or_equal
                    less_or_equal
                    range
                    all_set
                    any_set
                    none_set
      data        - Value associated with the field paramter.

Remarks: Adds a condition to the RPC firewall rule.

Examples:

      add condition field=if_uuid matchtype=equal
                    data=11111111-1111-1111-1111-111111111111
      add condition field=protocol matchtype=equal data=ncacn_ip_tcp

netsh rpc 過濾器添加過濾器/？

Usage: add filter

Remarks: Adds an RPC firewall filter.
        A rule and one or more conditions must be added
        before adding a filter.


Example:

      add filter

netsh rpc 過濾器添加規則/？

Usage: add rule [layer=]&lt;string&gt; [actiontype=]&lt;string&gt; [[filterkey=]&lt;string&gt;]
            [[persistence=]volatile] [[audit=]enable]

Parameters:

      Tag           Value
      layer       - One of the following values:
                    um
                    epmap
                    ep_add
                    proxy_conn
                    proxy_if
      actiontype  - One of the following values:
                    block
                    permit
                    continue
      persistence - Filter will be persistent.
                    This is the default.
      filterkey   - Uuid to uniquely identify the RPC firewall filter.
      audit       - Enable auditing for this filter
                    Only permit action type is allowed for audit rules.
                    Audit rules are not allowed at ep_add layer.

Remarks: Adds an RPC firewall filter rule.

Examples:

      add rule layer=um actiontype=block
      add rule layer=epmap actiontype=permit
               filterkey=11111111-1111-1111-1111-111111111111

我在網上只找到了幾個例子，一個是這個 KB 文章，它的格式搞砸了，但我碰巧有一個格式化的快照：