Locking Down DFS for Windows Firewall

This article was published on Jan 25th 2008 on "colinbowern …more of the usual bool"

"Most system administrators are becoming acutely aware of port usage on their servers. The security focus is telling us we need to lock things down by default. Turning Windows Firewall on for your servers will certainly do that. For DFS there is some scattered documented things I wanted to share about locking it down.

Distributed File System (DFS) uses File Replication Services (FRS) which in turn uses Remote Procedure Calls (RPC). RPC uses 135/tcp as the contact point for services to say hello on, known as the Endpoint Mapper. From there RPC directs you to a dynamic port known as an RPC Endpoint. For those of us who hate the idea you can constrain RPC to a range using RPCCfg.exe. It still means ports are dynamic, but now they are constrained. It would be nice to do better than a dynamic port in a range. That is where a registry key and DFSRDiag comes in with the StaticRPC option. Buried in the KB832017 is a reference to the fact that you can set DFS replication to use a static RPC endpoint. After adding the registry key and running that tool you should be able to see some tangible results using RPCDump:[4998] [d049b186-814f-11d1-9a3c-00c04fc9b232] NtFrs API :NOT_PINGED[4998] [f5cc59b4-4264-101a-8c59-08002b2f8426] NtFrs Service :NOT_PINGED[4999] [897e2e5f-93f3-4376-9c9c-fd2277495c27] Frs2 Service :NOT_PINGED

(The IP addresses and port numbers have been changed to protect the innocent) From here on in all you need to do is open those ports on your firewall and DFS should start flowing."


Removing already installed third-party drivers in Vista

This is entirely written by WAW8 on VistaForums http://www.vistaforums.com/Forum/Topic13820-21-1.aspx

In Vista, every device driver you install is copied into the "driver store". This "store" is not somewhere you go to purchase drivers; instead, it’s an area on the drive where Vista squirrels away device drivers for safe keeping. This is done so that, if you need to reinstall that device later, Vista already has the driver available.
Problem is, you may want to remove this driver so Vista doesn’t use it anymore — especially in the situation where the driver doesn’t work, and after you remove the entry from Device Manager, upon reboot, before you can install a different driver, Vista automatically reinstalls the driver from the "store".
What you will need to do is locate the actual device "package" you need to remove and delete it from the driver store.
To locate the device "package", open an elevated command prompt window (enter"cmd" in the start area, then press ctrl-shift-enter) and enter "pnputil.exe -e". This will provide a list of all the third-party drivers installed.
Search the list for the driver version you want removed. It will be oem##.inf. (where ## is the actual two-digit number of the inf file)
To remove that driver, using the same elevated command window, enter "pnputil.exe -d oem##.inf" to be safe, find all the driver files and remove them all.

Then, you need to clean out the INF directory:
1) open %windir%\inf\setupapi.dev.log in Wordpad
2) search for ", this will be found on a DevDesc line
3) look a few lines up for the "inf:" line. It will say Openeded INF: and at the end of the line, you will see the actual name of the inf file.
4) remove that file from the INF directory.
5) look for ServiceBinary=c:\Windows\system32\DRIVERS containing a reference to the same inf file. That’s the driver file to delete.
6) continue this process, search for all the inf sequences and DRIVERS references, removing the files from the INF and DRIVERS directories as needed.
Also, be sure to remove the device from Device Manager before you reboot.