This reduces the number of ports that are available to RPC endpoints from 3, to The number of ports was selected arbitrarily and is not a recommendation for the number of ports that are needed for any specific system. Next, an IPsec policy must be created to restrict access to this port range to deny access to all hosts on the network.
Finally, the IPsec policy can be updated to give certain IP addresses or network subnets access to the blocked RPC ports and to exclude all others. To do this, visit the following Microsoft Web site:.
The syntax and usage of IPseccmd. For more information about the Windows XP support tools, click the following article number to view the article in the Microsoft Knowledge Base:. At the command prompt, type rpccfg. Note This port range is recommended for use by RPC endpoints because ports in this range are not likely to be allocated for use by other applications.
By default, RPC uses the port range of to for allocating ports for endpoints. However, ports in this range are also dynamically allocated for use by the Windows operating system for all Windows sockets applications and can be exhausted on heavily used servers such as terminal servers and middle-tier servers that make many outgoing calls to remote systems.
For example, when Internet Explorer contacts a Web server on port 80, it listens on a port in the range for the response from the server. A middle-tier COM server that makes outgoing calls to other remote servers also uses a port in this range for the incoming reply to that call. Moving the range of ports that RPC uses for its endpoints to the port range will reduce the chance that these ports will be used by other applications. For more information about ephemeral port usage in Windows operating systems, visit the following Microsoft Web sites.
For more information about how to use IPsec to block ports, click the following article number to view the article in the Microsoft Knowledge Base:. On Windows , use Ipsecpol. For example, on Windows , type the following command from a directory that contains Ipsecpol. On Windows XP and on later operating systems, type the following command from a directory that contains Ipseccmd. For example, type the following command on Windows hosts to block all incoming access to TCP To block all incoming access to TCP , type the following command on Windows XP hosts and on hosts of later Windows operating systems:.
Repeat this command for each RPC port that must be blocked by changing the port number that is listed in this command. Ports that must be blocked are in the range.
Note Do not forget to change the port number in the rule name the -r switch and in the filter the -f switch.
If you must give specific subnets access to the restricted RPC ports, you must first give these subnets access to the RPC Endpoint Mapper that you blocked earlier. This command is either "ipsecpol. For example, the following command enables all hosts from the All other hosts will have their connections denied by the default block rule that was created earlier for this port. Each subnet that was given access to the RPC Endpoint Mapper earlier should also be given access to all the ports in the new RPC dynamic port range If you enable subnets to reach the RPC Endpoint Mapper but not the dynamic port range, the application may stop responding, or you may experience other problems.
The following command gives a specific subnet access to a port in the new RPC dynamic port range:. Note The commands in this section take effect immediately. After you create all the block rules and all the optional allow rules for the configured RPC ports, assign the policy by using the following command:.
Note The server may require more than 20 TCP ports. You can use the rpcdump. Improve this question. Add a comment. Active Oldest Votes. Improve this answer. Evan Anderson Evan Anderson k 18 18 gold badges silver badges bronze badges.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related Hot Network Questions. Question feed.
0コメント