[Samba] MS-RPC, LSARPC and Named Pipes end points
- Date: Wed, 20 Dec 2017 16:57:05 +0100
- From: Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] MS-RPC, LSARPC and Named Pipes end points
I get more and more questions from security minded clients about MS-RPC
and the dynamic RPC port range. The default range is quite wide, and
while it can be configured and reduced through the "rpc server dynamic
port range" parameter since 4.7.0, it still get
network/firewall/security people nervous.
Digging further into that subject, after some more reading and
tcpdump'ing, I started to do some test blocking the dynamic range for a
few workstations, and I didn't had the users yelling back at me. On the
other hand some administrative tasks like AD replication, remote server
management in compmgmt.msc do really need those ports accessible. But
for a standard use of workstation, I didn't get any issues so far (for
our internal use case).
I was also wondering what are the common points and the differences
between LSARPC, RPC over SMB, and MS-RPC/DCE-RPC:
* is MS-RPC the default standard for RPC transport (port 135 + dynamic
* is RPC over SMB / named pipes considered legacy (port 445 and 139 if
* is there some application that choose LSARPC, SMBRPC or MS-RPC by default
* is it interchangeable, that is to say, are all MS-RPC endpoint also
callable through SMBRPC / named pipes and the other way around?
* is it possible to have fallback on SMBRPC (named pipes) if MS-RPC is
Documentation on Microsoft RPC is not the easiest to navigate through,
so bear with me if my questions are too basic.
My first aim would be able to avoid the need for such a big range from
the server vlan to the other desktops vlan. The second need would be to
restrict the replication partners for DRS through firewalling.
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 18.104.22.168.55
To unsubscribe from this list go to the following URL and read the