We all love to hate RPC – It is a necessary evil in most Microsoft based environments. Back in 1981, Bruce Nelson probably had no idea that the concept would have been picked up by other large tech companies and still be kicking along some 40 years later. Unfortunately, there does not seem to have been much in the way of an uplift of security in all that time by our vendors – perhaps there have been some attempts, but we continue to see CVEs relating to RPC exploits in the wild.
If you’d like to look into better securing RPC, check out RPC Firewall by Zero Networks.
RPCFW is freely available as a download from Zero Networks Git Hub’s release page or if you’d like to tweak things, you can always download the source code over at their Git Hub Repository.
RPC Firewall 2.0 tutorial
Whilst you can do some of this already with NetSH, this nifty package offers so much more and I encourage you to check out their blog post about it. It may surprise you to learn how many RPC Interfaces (UUIDs) are laying in wait for bad actors to attempt to leverage unhanded exceptions and exploits.
The team at Zero Networks have put together a tutorial on how to use RPCFW 2.0:
Zero Networks have been kind enough to put together some example configuration files that can be used to block and/or alert on ‘nasties’ like Petit-Potam and a few others.
BE AWARE: Some of these UUIDs are important for certain tasks so be sure to baseline any system before applying any restrictions. An example of this would be in relation to Printing – if you are applying restrictions to a print server, you may not be able to apply the printer related restrictions to that system. This is all discussed in the the Zero Networks blog post on RPC Firewall 2.0.
The featured photo for this post is by Patrick Hendry on Unsplash
