Educause Security Discussion mailing list archives
Re: Risks of RPC over HTTP
From: Chris Green <cmgreen () UAB EDU>
Date: Wed, 15 Feb 2006 10:24:55 -0600
On 2/15/06 9:39 AM, "James H Moore" <jhmfa () RIT EDU> wrote:
- - - - Our technical infrastructure has "turned it on". I am left with trying to find out to see what controls need to be in place. Best practices, Opinions, References welcome.
I recently attended a talk by Jesper Johansson at Microsoft Security Summit East. He has a book out "Protect Your Windows Windows Network from Perimeter to Data" which covers some of these concepts but not this case specifically. I've written him to see if I can have a link to that talk or other documents supporting the following. During his talk, he was talking about exposing Exchange out over the internet for full use with the goal of allowing people to check their mail from home using full outlook client. He went down the con of VPN: exposing them to entire network when they just need access to exchange. Fast forward a bit and he talked about Outlook 2003 & HTTP-over-RPC. Due to the way RPC API works, you can register as either an remote service or a local only service. That exposure decision is done a per process basis. If you have a process that registers 5 local services, and 1 remote service, those local services are exposed out as well. This surprised many programmers at Microsoft. Fixing this class of bugs was a major enhancement of 2000 -> 2003 but I'm sure it's not complete, especially for third party software. What RPC over HTTP does is allow all those remote RPC services, that you probably firewalled a long time ago (port 135), out over HTTP (port 593) opening you up to the risks of RPC. In his example, he said that ISA Server can allow only the proper RPC-over-HTTP services to be exposed to the end user since it can work at the application layer. He did say he very much wished that functionality was built into the OS rather than ISA Server but that just wasn't the case yet. That left an assurance he wasn't just pushing ISA Server. http://www.eeye.com/html/Research/Tools/RPCDCOM.html is one tool that can show an example of these risks (showing DCOM vulnerability over RPC over HTTP). Big Disclaimer: This is me regurgitating what I heard but it did make complete sense to me. I've made us on our infrastructure people examine RPC-over-HTTP and ISA Server before we open up our Exchange for the Outlook 2003 clients. Hope this helps and I'll let you know if I find hard references. -- Chris Green UAB Data Security, 5-0842
Current thread:
- Risks of RPC over HTTP James H Moore (Feb 15)
- <Possible follow-ups>
- Re: Risks of RPC over HTTP Jeff Kell (Feb 15)
- Re: Risks of RPC over HTTP Chris Green (Feb 15)
- Re: Risks of RPC over HTTP Gary Flynn (Feb 15)