Full Disclosure mailing list archives

Re: Why does a home computer user need DCOM?

From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand () hsc fr>
Date: Thu, 11 Sep 2003 11:15:05 +0200

* *Hobbit* <hobbit () avian org> [10/09/03 - 13:31]:

Once again, I wouldn't mind a way to turn off *ALL* the RPC stuff,
including the RPC service itself, without paying the price of having
almost everything I do afterward just sit there and stupidly wait for it
to respond.  A box with it disabled *will* run, just barely, it'll just
be sluggish as hell.


It is not really possible to disable the rpcss service (a.k.a _Remote
Procedure Call (RPC)), probably because a Windows NT system heavily uses
Local Procedure Calls (ncalrpc transport), which happen to be handled by
the rpcss service. 

To close port 135 (tcp and udp), used among other things by the MSRPC
endoint mapper, you have to minimize Windows services, i.e stop all
services that register RPC services.

Or at the very least a way to run it so it doesn't listen on a socket
bound to *.  How 'bout localhost-only, or the equivalent of unix-domain
pipes, or *something* to keep it insulated from the network??


It is possible to bind RPC services to a specific network interface, for
example the loopback interface (127.0.0.1). This technique works on
Windows 2000 but not for all RPC services (however, it works for port
135). 

For more information, see the _RPC Services_ of our _Minimizing Windows
network services_ paper:

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

How 'bout the same for SMB/tcp 445?


Port 445 is opened by the NetBT driver (thus in kernel-mode) and is
always bound to 0.0.0.0 because it was designed as a global device:

http://www.hsc.fr/ressources/presentations/sambaxp2003/slide4.html

If you don't need SMB/CIFS at all, the easiest way to close port 445
(tcp and udp) is to disable the NetBT driver. You can also set the
SmbDeviceEnabled registry value to 0. This is also described in our
minimization paper (_CIFS over TCP_ section).


PS: thanks for netcat and your _CIFS: Common Insecurities Fail Scrutiny_
paper!

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand () hsc fr
HSC - http://www.hsc.fr/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Why does a home computer user need DCOM? *Hobbit* (Sep 10)
- Re: Why does a home computer user need DCOM? Nick FitzGerald (Sep 11)
- Re: Why does a home computer user need DCOM? Jean-Baptiste Marchand (Sep 11)
  - Re: Why does a home computer user need DCOM? Stephen Perciballi (Sep 11)
- <Possible follow-ups>
- Re: Why does a home computer user need DCOM? Quite Mad (Sep 14)