Web lists-archives.com

[Samba] MS-RPC, LSARPC and Named Pipes end points

Hi everyone,

I get more and more questions from security minded clients about MS-RPC and the dynamic RPC port range. The default range is quite wide, and while it can be configured and reduced through the "rpc server dynamic port range" parameter since 4.7.0, it still get network/firewall/security people nervous.

Digging further into that subject, after some more reading and tcpdump'ing, I started to do some test blocking the dynamic range for a few workstations, and I didn't had the users yelling back at me. On the other hand some administrative tasks like AD replication, remote server management in compmgmt.msc do really need those ports accessible. But for a standard use of workstation, I didn't get any issues so far (for our internal use case).

I was also wondering what are the common points and the differences between LSARPC, RPC over SMB, and MS-RPC/DCE-RPC:

* is MS-RPC the default standard for RPC transport (port 135 + dynamic range)

* is RPC over SMB / named pipes considered legacy (port 445 and 139 if netbios enabled)

* is there some application that choose LSARPC, SMBRPC or MS-RPC by default

* is it interchangeable, that is to say, are all MS-RPC endpoint also callable through SMBRPC / named pipes and the other way around?

* is it possible to have fallback on SMBRPC (named pipes) if MS-RPC is not available

Documentation on Microsoft RPC is not the easiest to navigate through, so bear with me if my questions are too basic.

My first aim would be able to avoid the need for such a big range from the server vlan to the other desktops vlan. The second need would be to restrict the replication partners for DRS through firewalling.


Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0)

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba