MS-RPC protocol

In order to secure Microsoft RPC traffic based on the DCE/RPC standard, this module allows authorizing or blocking traffic using this protocol, set out in detail by the Microsoft service (Microsoft Exchange, for example).

Automatically detect and inspect the protocol

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

Microsoft Remote Procedure Call (RPC)

"Predefined MS-RPC services" tab

The DCE/RPC protocol allows remotely hosted procedures to be launched. These services, known as MS-RPC, which have been predefined for the main Microsoft applications, are allowed by default.

These services classified by applications can be allowed/blocked individually or in groups by selecting several services using the Shift key together with the buttons available in the Action menu. The Modify all operations button allows assigning the action to all services. The "Block by service group" and "Allow by service group" buttons allow modifying the action assigned to a full group of services. Prohibited services will raise the alarm “DCERPC forbidden service”.

Whenever the user scrolls over each service, a tooltip will display its UUID (Universal Unique Identifier).

The main Microsoft applications that have predefined MS-RPC services are:

  • Distributed File System Replication
  • Microsoft Active Directory
  • Microsoft DCOM.

  • Microsoft Distributed Transaction Coordinator service
  • Microsoft Exchange
  • Microsoft File Replication service
  • Microsoft IIS
  • Microsoft Inter-site Messaging
  • Microsoft Messenger
  • Microsoft Netlogon
  • Microsoft RPC services
  • Microsoft Scheduler

"Customized MS-RPC services" tab

This table allows you to enter the universal unique identifiers (UUID) of MS-RPC services that were not entered in the list of predefined MS-RPC services. Similarly to the first tab, you can assign an action to a service, to all services ("Block by service group" and "Allow by service group" buttons) or to all services entered ("Modify all operations" button).

Support

Disable intrusion prevention

When this option is selected, the scan of the MS-RPC protocol will be disabled and traffic will be authorized if the filter policy allows it.

Log every DCE/RPC query

Enables or disables the logging of MS-RPC queries.

Automatically detect and inspect the protocol If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.