Saturday, May 8, 2010

Configure RPC ports from Dynamic to Limited Range

Many things require communication for RPC over ports 1024-65535/TCP.  In many cases having all of these ports open is not practical.  Microsoft recommends you reduce this number of ports. Material References:  http://support.microsoft.com/kb/154596

This is nothing new, I have been doing this per Microsoft's recommendations for several years, although this referenced KB is newer, if you search you will find similar articles published since Active Directories first release.

This is a best practice for security lock down, and has been for years. I heard an engineer once say it breaks your support contract with Microsoft to make ANY edits to the registry.  That is simply incorrect, contact Microsoft to verify.  If it is to fix known reported problems where Microsoft publishes a KB article instructing you how like above, this is supported.

  1. Start - Run - Regedt32 - modify the following parameters for RPC. The RPC Port key values are all located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Key Data Type Ports REG_MULTI_SZ
  2. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. Select a smaller range like 25000-25500.
  3. PortsInternetAvailable REG_SZ Y or N (not case-sensitive)
    If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
  4. UseInternetPorts REG_SZ ) Y or N (not case-sensitive Specifies the system default policy.
    If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. If N, the processes using the default will be assigned ports from the set of intranet-only ports.
  5. Example:
  6. 1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  7. 2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
  8. The new registry key appears as follows:
         Ports: REG_MULTI_SZ: 25000-25500
         PortsInternetAvailable: REG_SZ: Y
         UseInternetPorts: REG_SZ: Y 
  9. Then restart the server.

Published: 10/31/2008 8:53 PM

Tags: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)