MS-RPC protocol

In order to secure Microsoft RPC traffic based on the DCE/RPC standard, this module allows authorizing or blocking traffic using this protocol, set out in detail by the Microsoft service (Microsoft Exchange, for example).

DCE/RPC (IPS) tab

Like FTP, the DCE/RPC protocol may be used to set up several connections for the same traffic stream: a parent connection from the client to the server over the port dedicated to the service, followed by one or several child connections over random ports for data exchange.

When the DCE/RPC protocol is analyzed, the firewall extracts data from the parent connection in order to create child connections (random ports allowed), so that you obtain a connection skeleton that enables dialog.

Connection skeleton settings

Allow creation of skeletons When this option is selected, the DCE/RPC analyzer will allow parent and child connections to be created.
Expiry date of a skeleton This parameter determines when a skeleton, which was created by a DCE/RPC connection and has become idle, will be deleted.
By default, it is set to 60 seconds.
Number of skeletons created per IP address The number of DCE/RPC skeletons created by the same source IP address can be restricted.

Authentication

Verify user legitimacy If this option is selected, you will be enabling DCE/RPC user authentication. The DCE/RPC analyzer will then be able to extract the user and compare it against the list of users authenticated on the firewall.
When no authenticated user matches the user submitted in the DCE/RPC query, the packet will be blocked.

Microsoft Remote Procedure Call (RPC)

"Predefined MS-RPC services" tab

The DCE/RPC protocol allows remotely hosted procedures to be launched. These services, known as MS-RPC, which have been predefined for the main Microsoft applications, are allowed by default.

These services, classified by category, can be allowed/blocked individually or in groups by selecting several categories using the Shift key together with the buttons available in the Action menu. The "Modify all operations" button makes it possible to assign the action to all service categories. The "Block by service group" and "Allow by service group" buttons allow modifying the action assigned to a full group of services. Prohibited services will raise the alarm “DCERPC forbidden service”.

Whenever the user scrolls over each service, a tooltip will display its UUID (Universal Unique Identifier).

The main Microsoft applications that have predefined MS-RPC services are:

  • Distributed File System Replication.
  • Microsoft Active Directory.
  • Microsoft DCOM.
  • Microsoft Distributed Transaction Coordinator service.
  • Microsoft Exchange.
  • Microsoft File Replication service.
  • Microsoft IIS.
  • Microsoft Inter-site Messaging.
  • Microsoft Messenger.
  • Microsoft Netlogon.
  • Microsoft RPC services.
  • Microsoft Scheduler.

"Customized MS-RPC services" tab

This table allows you to enter the universal unique identifiers (UUID) of MS-RPC services that were not entered in the list of predefined MS-RPC services. Similarly to the first tab, you can assign an action to a service, to all services ("Block by service group" and "Allow by service group" buttons) or to all services entered ("Modify all operations" button).

Support

Disable intrusion prevention When this option is selected, the analysis of the MS-RPC protocol will be disabled and traffic will be authorized if the filter policy allows it.
Log every MS-RPC query Enables or disables the logging of MS-RPC requests.
Automatically detect and inspect the protocol If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.