Windows

使用 Windows 防火牆允許/阻止特定的 RPC 介面 UUID

  • July 3, 2019

是否可以使用 Windows 防火牆阻止/允許某些 RPC UUID?

例如,Active Directory 域控制器複製使用 RPC over TCP 通過drsuapi 和 dsaop RPC 伺服器進行,分別具有 UUIDe3514235-4b06-11d1-ab04-00c04fc2dcd2和。7c44d7d4-31d5-424c-bd5e-2b3e1f323d22我想創建一個規則,只允許來自域控制器的流量,也可能來自 IT 管理員子網。允許所有RPC 流量過於寬泛,因為這大大增加了攻擊面,因為 Windows 公開了許多其他 RPC 伺服器(例如 DCOM 或任務調度程序)。有什麼辦法可以限制這個級別的流量嗎?

是的,您可以使用netsh rpc filter命令執行此操作,但文件和範例很少。最好的文件是 netsh 幫助:

netsh rpc 過濾器添加條件/?

Usage: add condition [field=]<string> [matchtype=]<string> [data=]<string>

Parameters:

      Tag           Value
      field       - One of the following values:
                    For layer = um
                        if_uuid if_version if_flag dcom_app_id image_name
                        protocol auth_type auth_level sec_encrypt_alg
                        sec_key_size remote_user_token local_addr_v4
                        local_addr_v6 remote_addr_v4 remote_addr_v6
                        local_port pipe
                    For layer = epmap
                        if_uuid if_version protocol auth_type auth_level
                        sec_encrypt_alg sec_key_size remote_user_token
                        local_addr_v4 local_addr_v6 remote_addr_v4
                        remote_addr_v6 local_port pipe
                    For layer = ep_add
                        process_with_if_uuid protocol ep_value ep_flags
                    For layer = proxy_conn
                        server_name server_port proxy_auth_type
                        client_token client_cert_key_name client_cert_oid
                    For layer = proxy_if
                        if_uuid if_version server_name server_port
                        proxy_auth_type client_token client_cert_key_length
                        client_cert_oid
      matchtype   - One of the following values:
                    equal
                    greater
                    less
                    greater_or_equal
                    less_or_equal
                    range
                    all_set
                    any_set
                    none_set
      data        - Value associated with the field paramter.

Remarks: Adds a condition to the RPC firewall rule.

Examples:

      add condition field=if_uuid matchtype=equal
                    data=11111111-1111-1111-1111-111111111111
      add condition field=protocol matchtype=equal data=ncacn_ip_tcp

netsh rpc 過濾器添加過濾器/?

Usage: add filter

Remarks: Adds an RPC firewall filter.
        A rule and one or more conditions must be added
        before adding a filter.


Example:

      add filter

netsh rpc 過濾器添加規則/?

Usage: add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>]
            [[persistence=]volatile] [[audit=]enable]

Parameters:

      Tag           Value
      layer       - One of the following values:
                    um
                    epmap
                    ep_add
                    proxy_conn
                    proxy_if
      actiontype  - One of the following values:
                    block
                    permit
                    continue
      persistence - Filter will be persistent.
                    This is the default.
      filterkey   - Uuid to uniquely identify the RPC firewall filter.
      audit       - Enable auditing for this filter
                    Only permit action type is allowed for audit rules.
                    Audit rules are not allowed at ep_add layer.

Remarks: Adds an RPC firewall filter rule.

Examples:

      add rule layer=um actiontype=block
      add rule layer=epmap actiontype=permit
               filterkey=11111111-1111-1111-1111-111111111111

我在網上只找到了幾個例子,一個是這個 KB 文章,它的格式搞砸了,但我碰巧有一個格式化的快照:

網路範例

這兩篇文章也有一些有趣的資訊:

https://support.microsoft.com/en-us/help/838191/list-of-remote-procedure-call-rpc-fixes-in-windows-xp-service-pack-2-a

https://docs.microsoft.com/en-us/windows/desktop/rpc/load-balancing-best-practices

引用自:https://serverfault.com/questions/973611