Locking Down DFS for Windows Firewall


This article was published on Jan 25th 2008 on "colinbowern …more of the usual bool"
http://rockstarguys.com/blogs/colin/archive/2008/01/25/locking-down-dfs-for-windows-firewall.aspx

"Most system administrators are becoming acutely aware of port usage on their servers. The security focus is telling us we need to lock things down by default. Turning Windows Firewall on for your servers will certainly do that. For DFS there is some scattered documented things I wanted to share about locking it down.

Distributed File System (DFS) uses File Replication Services (FRS) which in turn uses Remote Procedure Calls (RPC). RPC uses 135/tcp as the contact point for services to say hello on, known as the Endpoint Mapper. From there RPC directs you to a dynamic port known as an RPC Endpoint. For those of us who hate the idea you can constrain RPC to a range using RPCCfg.exe. It still means ports are dynamic, but now they are constrained. It would be nice to do better than a dynamic port in a range. That is where a registry key and DFSRDiag comes in with the StaticRPC option. Buried in the KB832017 is a reference to the fact that you can set DFS replication to use a static RPC endpoint. After adding the registry key and running that tool you should be able to see some tangible results using RPCDump:

10.0.0.1[4998] [d049b186-814f-11d1-9a3c-00c04fc9b232] NtFrs API :NOT_PINGED

10.0.0.1[4998] [f5cc59b4-4264-101a-8c59-08002b2f8426] NtFrs Service :NOT_PINGED

10.0.0.1[4999] [897e2e5f-93f3-4376-9c9c-fd2277495c27] Frs2 Service :NOT_PINGED

(The IP addresses and port numbers have been changed to protect the innocent) From here on in all you need to do is open those ports on your firewall and DFS should start flowing."

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s