Jump to content

Information on Dynamic Port Used by Terminal Services

Guest Will

By Guest Will
in Windows NT Server

 Share

Recommended Posts

Guest Will

Guest Will

Posted
Posted

According to Microsoft documentation, Terminal Server Licensing servers use

RPC port 135 and a dynamic port over 1024. Regarding the dynamic port,

can someone tell me:

 

1) Is there a registry option we can use to place the dynamic port on a

specific fixed TCP port? If yes, what are the details of that?

 

2) Is anyone here technical enough with the terminal server licensing

protocol that they can tell me the UUID of the requested service associated

with the dynamic port?

 

--

Will

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: Information on Dynamic Port Used by Terminal Services

 

This should help you which Q1. It's not as simple as a registry

key, though.

 

How to configure RPC to use certain ports and how to help secure

those ports by using IPsec

http://support.microsoft.com/kb/908472/en-us

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

"Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

> According to Microsoft documentation, Terminal Server Licensing

> servers use RPC port 135 and a dynamic port over 1024.

> Regarding the dynamic port, can someone tell me:

>

> 1) Is there a registry option we can use to place the dynamic

> port on a specific fixed TCP port? If yes, what are the

> details of that?

>

> 2) Is anyone here technical enough with the terminal server

> licensing protocol that they can tell me the UUID of the

> requested service associated with the dynamic port?

Guest Will

Guest Will

Posted
Posted

Re: Information on Dynamic Port Used by Terminal Services

 

Reducing the RPC range still leaves a range. It is really just like having

no security at all since any application that is RPC based can still run

through that range.

 

With many applications, Microsoft thoughtfully provides a registry key that

lets you fix the RPC application service to a fixed port. That's very

firewall friendly and works great. I was really hoping that the terminal

server licensing might provide something similar (perhaps not well

documented). I wish Microsoft would offer such an option on every single

service it publishes by RPC, as a matter of a design requirement. It

would make securing these boxes so much easier.

 

Whether you use IPSec, or a regular firewall, the point is that any server

that needs even one RPC service on the target server would need to be given

access to the range of RPC ports, which really isn't security. What we

do with domain controllers behind firewalls, which works great, is to fix

three specific RPC services to fixed ports, and then we lock the firewall to

access only RPC 135 and those three ports. No other ports are allowed.

That approach is approaching secure because you can control which N number

of RPC services are directly accessed by any host. If some other RPC

service starts on the target host, the person who wants access can get its

port number through the RPC port 135 mapper, but they cannot get to the

actual service through the firewall.

 

I can debug the UUID with a sniffer, and ISA Server has a nice feature that

lets you restrict RPC access to a specific UUID. But that's complex and in

our experience it can sometimes break the service (apparently the

implementation of this idea has some potential bugs or design limitation).

It's time consuming to implement and to debug as well.

 

--

Will

 

 

"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...

> This should help you which Q1. It's not as simple as a registry

> key, though.

>

> How to configure RPC to use certain ports and how to help secure

> those ports by using IPsec

> http://support.microsoft.com/kb/908472/en-us

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

>

>> According to Microsoft documentation, Terminal Server Licensing

>> servers use RPC port 135 and a dynamic port over 1024.

>> Regarding the dynamic port, can someone tell me:

>>

>> 1) Is there a registry option we can use to place the dynamic

>> port on a specific fixed TCP port? If yes, what are the

>> details of that?

>>

>> 2) Is anyone here technical enough with the terminal server

>> licensing protocol that they can tell me the UUID of the

>> requested service associated with the dynamic port?

Guest Will

Guest Will

Posted
Posted

Re: Information on Dynamic Port Used by Terminal Services

 

I traced a terminal server against the terminal server licensing, and to my

surprise none of the RPC dynamic ports was contacted. Instead, the entire

protocol for licensing looks like it happens over port 445.

 

Can someone confirm for me: are all RPC services runnable through port 445

directly, without contacting the dynamic RPC port? Or did Microsoft

implement something extra just for terminal services licensing that allows

it to work over port 445?

 

--

Will

 

 

"Will" <westes-usc@noemail.nospam> wrote in message

news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...

> Reducing the RPC range still leaves a range. It is really just like

> having no security at all since any application that is RPC based can

> still run through that range.

>

> With many applications, Microsoft thoughtfully provides a registry key

> that lets you fix the RPC application service to a fixed port. That's

> very firewall friendly and works great. I was really hoping that the

> terminal server licensing might provide something similar (perhaps not

> well documented). I wish Microsoft would offer such an option on every

> single service it publishes by RPC, as a matter of a design requirement.

> It would make securing these boxes so much easier.

>

> Whether you use IPSec, or a regular firewall, the point is that any server

> that needs even one RPC service on the target server would need to be

> given access to the range of RPC ports, which really isn't security.

> What we do with domain controllers behind firewalls, which works great, is

> to fix three specific RPC services to fixed ports, and then we lock the

> firewall to access only RPC 135 and those three ports. No other ports

> are allowed. That approach is approaching secure because you can control

> which N number of RPC services are directly accessed by any host. If

> some other RPC service starts on the target host, the person who wants

> access can get its port number through the RPC port 135 mapper, but they

> cannot get to the actual service through the firewall.

>

> I can debug the UUID with a sniffer, and ISA Server has a nice feature

> that lets you restrict RPC access to a specific UUID. But that's complex

> and in our experience it can sometimes break the service (apparently the

> implementation of this idea has some potential bugs or design limitation).

> It's time consuming to implement and to debug as well.

>

> --

> Will

>

>

> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message

> news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...

>> This should help you which Q1. It's not as simple as a registry

>> key, though.

>>

>> How to configure RPC to use certain ports and how to help secure

>> those ports by using IPsec

>> http://support.microsoft.com/kb/908472/en-us

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> *----------- Please reply in newsgroup -------------*

>>

>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

>>

>>> According to Microsoft documentation, Terminal Server Licensing

>>> servers use RPC port 135 and a dynamic port over 1024.

>>> Regarding the dynamic port, can someone tell me:

>>>

>>> 1) Is there a registry option we can use to place the dynamic

>>> port on a specific fixed TCP port? If yes, what are the

>>> details of that?

>>>

>>> 2) Is anyone here technical enough with the terminal server

>>> licensing protocol that they can tell me the UUID of the

>>> requested service associated with the dynamic port?

Guest Jeff Pitsch

Guest Jeff Pitsch

Posted
Posted

Re: Information on Dynamic Port Used by Terminal Services

 

Are you in per user or per device mode? That may make a difference since

per user doesn't actually do anything while per device actually returns

information.

 

Jeff Pitsch

Microsoft MVP - Terminal Services

 

 

"Will" <westes-usc@noemail.nospam> wrote in message

news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com...

>I traced a terminal server against the terminal server licensing, and to my

>surprise none of the RPC dynamic ports was contacted. Instead, the

>entire protocol for licensing looks like it happens over port 445.

>

> Can someone confirm for me: are all RPC services runnable through port

> 445 directly, without contacting the dynamic RPC port? Or did

> Microsoft implement something extra just for terminal services licensing

> that allows it to work over port 445?

>

> --

> Will

>

>

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...

>> Reducing the RPC range still leaves a range. It is really just like

>> having no security at all since any application that is RPC based can

>> still run through that range.

>>

>> With many applications, Microsoft thoughtfully provides a registry key

>> that lets you fix the RPC application service to a fixed port. That's

>> very firewall friendly and works great. I was really hoping that the

>> terminal server licensing might provide something similar (perhaps not

>> well documented). I wish Microsoft would offer such an option on every

>> single service it publishes by RPC, as a matter of a design requirement.

>> It would make securing these boxes so much easier.

>>

>> Whether you use IPSec, or a regular firewall, the point is that any

>> server that needs even one RPC service on the target server would need to

>> be given access to the range of RPC ports, which really isn't security.

>> What we do with domain controllers behind firewalls, which works great,

>> is to fix three specific RPC services to fixed ports, and then we lock

>> the firewall to access only RPC 135 and those three ports. No other

>> ports are allowed. That approach is approaching secure because you can

>> control which N number of RPC services are directly accessed by any host.

>> If some other RPC service starts on the target host, the person who wants

>> access can get its port number through the RPC port 135 mapper, but they

>> cannot get to the actual service through the firewall.

>>

>> I can debug the UUID with a sniffer, and ISA Server has a nice feature

>> that lets you restrict RPC access to a specific UUID. But that's

>> complex and in our experience it can sometimes break the service

>> (apparently the implementation of this idea has some potential bugs or

>> design limitation). It's time consuming to implement and to debug as

>> well.

>>

>> --

>> Will

>>

>>

>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in

>> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...

>>> This should help you which Q1. It's not as simple as a registry

>>> key, though.

>>>

>>> How to configure RPC to use certain ports and how to help secure

>>> those ports by using IPsec

>>> http://support.microsoft.com/kb/908472/en-us

>>>

>>> _________________________________________________________

>>> Vera Noest

>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>> TS troubleshooting: http://ts.veranoest.net

>>> *----------- Please reply in newsgroup -------------*

>>>

>>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

>>>

>>>> According to Microsoft documentation, Terminal Server Licensing

>>>> servers use RPC port 135 and a dynamic port over 1024.

>>>> Regarding the dynamic port, can someone tell me:

>>>>

>>>> 1) Is there a registry option we can use to place the dynamic

>>>> port on a specific fixed TCP port? If yes, what are the

>>>> details of that?

>>>>

>>>> 2) Is anyone here technical enough with the terminal server

>>>> licensing protocol that they can tell me the UUID of the

>>>> requested service associated with the dynamic port?

>

>

Guest Will

Guest Will

Posted
Posted

Re: Information on Dynamic Port Used by Terminal Services

 

We are in per device mode since more than one user shares the same

terminals.

 

I guess my general question though wasn't

terminal-server-licensing-specific. Is someone able to run *all* RPC

services through port 445? Or are the interfaces being accessed through

445 completely independent of the ones through a normal RPC (port 135 +

dynamic port)?

 

--

Will

 

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message

news:OAP1FDL9IHA.3612@TK2MSFTNGP04.phx.gbl...

> Are you in per user or per device mode? That may make a difference since

> per user doesn't actually do anything while per device actually returns

> information.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Services

>

>

> "Will" <westes-usc@noemail.nospam> wrote in message

> news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com...

>>I traced a terminal server against the terminal server licensing, and to

>>my surprise none of the RPC dynamic ports was contacted. Instead, the

>>entire protocol for licensing looks like it happens over port 445.

>>

>> Can someone confirm for me: are all RPC services runnable through port

>> 445 directly, without contacting the dynamic RPC port? Or did

>> Microsoft implement something extra just for terminal services licensing

>> that allows it to work over port 445?

>>

>> --

>> Will

>>

>>

>> "Will" <westes-usc@noemail.nospam> wrote in message

>> news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...

>>> Reducing the RPC range still leaves a range. It is really just like

>>> having no security at all since any application that is RPC based can

>>> still run through that range.

>>>

>>> With many applications, Microsoft thoughtfully provides a registry key

>>> that lets you fix the RPC application service to a fixed port. That's

>>> very firewall friendly and works great. I was really hoping that the

>>> terminal server licensing might provide something similar (perhaps not

>>> well documented). I wish Microsoft would offer such an option on

>>> every single service it publishes by RPC, as a matter of a design

>>> requirement. It would make securing these boxes so much easier.

>>>

>>> Whether you use IPSec, or a regular firewall, the point is that any

>>> server that needs even one RPC service on the target server would need

>>> to be given access to the range of RPC ports, which really isn't

>>> security. What we do with domain controllers behind firewalls, which

>>> works great, is to fix three specific RPC services to fixed ports, and

>>> then we lock the firewall to access only RPC 135 and those three ports.

>>> No other ports are allowed. That approach is approaching secure because

>>> you can control which N number of RPC services are directly accessed by

>>> any host. If some other RPC service starts on the target host, the

>>> person who wants access can get its port number through the RPC port 135

>>> mapper, but they cannot get to the actual service through the firewall.

>>>

>>> I can debug the UUID with a sniffer, and ISA Server has a nice feature

>>> that lets you restrict RPC access to a specific UUID. But that's

>>> complex and in our experience it can sometimes break the service

>>> (apparently the implementation of this idea has some potential bugs or

>>> design limitation). It's time consuming to implement and to debug as

>>> well.

>>>

>>> --

>>> Will

>>>

>>>

>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in

>>> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...

>>>> This should help you which Q1. It's not as simple as a registry

>>>> key, though.

>>>>

>>>> How to configure RPC to use certain ports and how to help secure

>>>> those ports by using IPsec

>>>> http://support.microsoft.com/kb/908472/en-us

>>>>

>>>> _________________________________________________________

>>>> Vera Noest

>>>> MCSE, CCEA, Microsoft MVP - Terminal Server

>>>> TS troubleshooting: http://ts.veranoest.net

>>>> *----------- Please reply in newsgroup -------------*

>>>>

>>>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

>>>>

>>>>> According to Microsoft documentation, Terminal Server Licensing

>>>>> servers use RPC port 135 and a dynamic port over 1024.

>>>>> Regarding the dynamic port, can someone tell me:

>>>>>

>>>>> 1) Is there a registry option we can use to place the dynamic

>>>>> port on a specific fixed TCP port? If yes, what are the

>>>>> details of that?

>>>>>

>>>>> 2) Is anyone here technical enough with the terminal server

>>>>> licensing protocol that they can tell me the UUID of the

>>>>> requested service associated with the dynamic port?

>>

>>

>

>

 Share
Go to topic listing
×
×
  • Create New...