Guest Will Posted August 1, 2008 Posted August 1, 2008 According to Microsoft documentation, Terminal Server Licensing servers use RPC port 135 and a dynamic port over 1024. Regarding the dynamic port, can someone tell me: 1) Is there a registry option we can use to place the dynamic port on a specific fixed TCP port? If yes, what are the details of that? 2) Is anyone here technical enough with the terminal server licensing protocol that they can tell me the UUID of the requested service associated with the dynamic port? -- Will
Guest Vera Noest [MVP] Posted August 1, 2008 Posted August 1, 2008 Re: Information on Dynamic Port Used by Terminal Services This should help you which Q1. It's not as simple as a registry key, though. How to configure RPC to use certain ports and how to help secure those ports by using IPsec http://support.microsoft.com/kb/908472/en-us _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008: > According to Microsoft documentation, Terminal Server Licensing > servers use RPC port 135 and a dynamic port over 1024. > Regarding the dynamic port, can someone tell me: > > 1) Is there a registry option we can use to place the dynamic > port on a specific fixed TCP port? If yes, what are the > details of that? > > 2) Is anyone here technical enough with the terminal server > licensing protocol that they can tell me the UUID of the > requested service associated with the dynamic port?
Guest Will Posted August 2, 2008 Posted August 2, 2008 Re: Information on Dynamic Port Used by Terminal Services Reducing the RPC range still leaves a range. It is really just like having no security at all since any application that is RPC based can still run through that range. With many applications, Microsoft thoughtfully provides a registry key that lets you fix the RPC application service to a fixed port. That's very firewall friendly and works great. I was really hoping that the terminal server licensing might provide something similar (perhaps not well documented). I wish Microsoft would offer such an option on every single service it publishes by RPC, as a matter of a design requirement. It would make securing these boxes so much easier. Whether you use IPSec, or a regular firewall, the point is that any server that needs even one RPC service on the target server would need to be given access to the range of RPC ports, which really isn't security. What we do with domain controllers behind firewalls, which works great, is to fix three specific RPC services to fixed ports, and then we lock the firewall to access only RPC 135 and those three ports. No other ports are allowed. That approach is approaching secure because you can control which N number of RPC services are directly accessed by any host. If some other RPC service starts on the target host, the person who wants access can get its port number through the RPC port 135 mapper, but they cannot get to the actual service through the firewall. I can debug the UUID with a sniffer, and ISA Server has a nice feature that lets you restrict RPC access to a specific UUID. But that's complex and in our experience it can sometimes break the service (apparently the implementation of this idea has some potential bugs or design limitation). It's time consuming to implement and to debug as well. -- Will "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16... > This should help you which Q1. It's not as simple as a registry > key, though. > > How to configure RPC to use certain ports and how to help secure > those ports by using IPsec > http://support.microsoft.com/kb/908472/en-us > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > *----------- Please reply in newsgroup -------------* > > "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008: > >> According to Microsoft documentation, Terminal Server Licensing >> servers use RPC port 135 and a dynamic port over 1024. >> Regarding the dynamic port, can someone tell me: >> >> 1) Is there a registry option we can use to place the dynamic >> port on a specific fixed TCP port? If yes, what are the >> details of that? >> >> 2) Is anyone here technical enough with the terminal server >> licensing protocol that they can tell me the UUID of the >> requested service associated with the dynamic port?
Guest Will Posted August 2, 2008 Posted August 2, 2008 Re: Information on Dynamic Port Used by Terminal Services I traced a terminal server against the terminal server licensing, and to my surprise none of the RPC dynamic ports was contacted. Instead, the entire protocol for licensing looks like it happens over port 445. Can someone confirm for me: are all RPC services runnable through port 445 directly, without contacting the dynamic RPC port? Or did Microsoft implement something extra just for terminal services licensing that allows it to work over port 445? -- Will "Will" <westes-usc@noemail.nospam> wrote in message news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com... > Reducing the RPC range still leaves a range. It is really just like > having no security at all since any application that is RPC based can > still run through that range. > > With many applications, Microsoft thoughtfully provides a registry key > that lets you fix the RPC application service to a fixed port. That's > very firewall friendly and works great. I was really hoping that the > terminal server licensing might provide something similar (perhaps not > well documented). I wish Microsoft would offer such an option on every > single service it publishes by RPC, as a matter of a design requirement. > It would make securing these boxes so much easier. > > Whether you use IPSec, or a regular firewall, the point is that any server > that needs even one RPC service on the target server would need to be > given access to the range of RPC ports, which really isn't security. > What we do with domain controllers behind firewalls, which works great, is > to fix three specific RPC services to fixed ports, and then we lock the > firewall to access only RPC 135 and those three ports. No other ports > are allowed. That approach is approaching secure because you can control > which N number of RPC services are directly accessed by any host. If > some other RPC service starts on the target host, the person who wants > access can get its port number through the RPC port 135 mapper, but they > cannot get to the actual service through the firewall. > > I can debug the UUID with a sniffer, and ISA Server has a nice feature > that lets you restrict RPC access to a specific UUID. But that's complex > and in our experience it can sometimes break the service (apparently the > implementation of this idea has some potential bugs or design limitation). > It's time consuming to implement and to debug as well. > > -- > Will > > > "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message > news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16... >> This should help you which Q1. It's not as simple as a registry >> key, though. >> >> How to configure RPC to use certain ports and how to help secure >> those ports by using IPsec >> http://support.microsoft.com/kb/908472/en-us >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> *----------- Please reply in newsgroup -------------* >> >> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008: >> >>> According to Microsoft documentation, Terminal Server Licensing >>> servers use RPC port 135 and a dynamic port over 1024. >>> Regarding the dynamic port, can someone tell me: >>> >>> 1) Is there a registry option we can use to place the dynamic >>> port on a specific fixed TCP port? If yes, what are the >>> details of that? >>> >>> 2) Is anyone here technical enough with the terminal server >>> licensing protocol that they can tell me the UUID of the >>> requested service associated with the dynamic port?
Guest Jeff Pitsch Posted August 2, 2008 Posted August 2, 2008 Re: Information on Dynamic Port Used by Terminal Services Are you in per user or per device mode? That may make a difference since per user doesn't actually do anything while per device actually returns information. Jeff Pitsch Microsoft MVP - Terminal Services "Will" <westes-usc@noemail.nospam> wrote in message news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com... >I traced a terminal server against the terminal server licensing, and to my >surprise none of the RPC dynamic ports was contacted. Instead, the >entire protocol for licensing looks like it happens over port 445. > > Can someone confirm for me: are all RPC services runnable through port > 445 directly, without contacting the dynamic RPC port? Or did > Microsoft implement something extra just for terminal services licensing > that allows it to work over port 445? > > -- > Will > > > "Will" <westes-usc@noemail.nospam> wrote in message > news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com... >> Reducing the RPC range still leaves a range. It is really just like >> having no security at all since any application that is RPC based can >> still run through that range. >> >> With many applications, Microsoft thoughtfully provides a registry key >> that lets you fix the RPC application service to a fixed port. That's >> very firewall friendly and works great. I was really hoping that the >> terminal server licensing might provide something similar (perhaps not >> well documented). I wish Microsoft would offer such an option on every >> single service it publishes by RPC, as a matter of a design requirement. >> It would make securing these boxes so much easier. >> >> Whether you use IPSec, or a regular firewall, the point is that any >> server that needs even one RPC service on the target server would need to >> be given access to the range of RPC ports, which really isn't security. >> What we do with domain controllers behind firewalls, which works great, >> is to fix three specific RPC services to fixed ports, and then we lock >> the firewall to access only RPC 135 and those three ports. No other >> ports are allowed. That approach is approaching secure because you can >> control which N number of RPC services are directly accessed by any host. >> If some other RPC service starts on the target host, the person who wants >> access can get its port number through the RPC port 135 mapper, but they >> cannot get to the actual service through the firewall. >> >> I can debug the UUID with a sniffer, and ISA Server has a nice feature >> that lets you restrict RPC access to a specific UUID. But that's >> complex and in our experience it can sometimes break the service >> (apparently the implementation of this idea has some potential bugs or >> design limitation). It's time consuming to implement and to debug as >> well. >> >> -- >> Will >> >> >> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in >> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16... >>> This should help you which Q1. It's not as simple as a registry >>> key, though. >>> >>> How to configure RPC to use certain ports and how to help secure >>> those ports by using IPsec >>> http://support.microsoft.com/kb/908472/en-us >>> >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> *----------- Please reply in newsgroup -------------* >>> >>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008: >>> >>>> According to Microsoft documentation, Terminal Server Licensing >>>> servers use RPC port 135 and a dynamic port over 1024. >>>> Regarding the dynamic port, can someone tell me: >>>> >>>> 1) Is there a registry option we can use to place the dynamic >>>> port on a specific fixed TCP port? If yes, what are the >>>> details of that? >>>> >>>> 2) Is anyone here technical enough with the terminal server >>>> licensing protocol that they can tell me the UUID of the >>>> requested service associated with the dynamic port? > >
Guest Will Posted August 4, 2008 Posted August 4, 2008 Re: Information on Dynamic Port Used by Terminal Services We are in per device mode since more than one user shares the same terminals. I guess my general question though wasn't terminal-server-licensing-specific. Is someone able to run *all* RPC services through port 445? Or are the interfaces being accessed through 445 completely independent of the ones through a normal RPC (port 135 + dynamic port)? -- Will "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message news:OAP1FDL9IHA.3612@TK2MSFTNGP04.phx.gbl... > Are you in per user or per device mode? That may make a difference since > per user doesn't actually do anything while per device actually returns > information. > > Jeff Pitsch > Microsoft MVP - Terminal Services > > > "Will" <westes-usc@noemail.nospam> wrote in message > news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com... >>I traced a terminal server against the terminal server licensing, and to >>my surprise none of the RPC dynamic ports was contacted. Instead, the >>entire protocol for licensing looks like it happens over port 445. >> >> Can someone confirm for me: are all RPC services runnable through port >> 445 directly, without contacting the dynamic RPC port? Or did >> Microsoft implement something extra just for terminal services licensing >> that allows it to work over port 445? >> >> -- >> Will >> >> >> "Will" <westes-usc@noemail.nospam> wrote in message >> news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com... >>> Reducing the RPC range still leaves a range. It is really just like >>> having no security at all since any application that is RPC based can >>> still run through that range. >>> >>> With many applications, Microsoft thoughtfully provides a registry key >>> that lets you fix the RPC application service to a fixed port. That's >>> very firewall friendly and works great. I was really hoping that the >>> terminal server licensing might provide something similar (perhaps not >>> well documented). I wish Microsoft would offer such an option on >>> every single service it publishes by RPC, as a matter of a design >>> requirement. It would make securing these boxes so much easier. >>> >>> Whether you use IPSec, or a regular firewall, the point is that any >>> server that needs even one RPC service on the target server would need >>> to be given access to the range of RPC ports, which really isn't >>> security. What we do with domain controllers behind firewalls, which >>> works great, is to fix three specific RPC services to fixed ports, and >>> then we lock the firewall to access only RPC 135 and those three ports. >>> No other ports are allowed. That approach is approaching secure because >>> you can control which N number of RPC services are directly accessed by >>> any host. If some other RPC service starts on the target host, the >>> person who wants access can get its port number through the RPC port 135 >>> mapper, but they cannot get to the actual service through the firewall. >>> >>> I can debug the UUID with a sniffer, and ISA Server has a nice feature >>> that lets you restrict RPC access to a specific UUID. But that's >>> complex and in our experience it can sometimes break the service >>> (apparently the implementation of this idea has some potential bugs or >>> design limitation). It's time consuming to implement and to debug as >>> well. >>> >>> -- >>> Will >>> >>> >>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in >>> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16... >>>> This should help you which Q1. It's not as simple as a registry >>>> key, though. >>>> >>>> How to configure RPC to use certain ports and how to help secure >>>> those ports by using IPsec >>>> http://support.microsoft.com/kb/908472/en-us >>>> >>>> _________________________________________________________ >>>> Vera Noest >>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>> TS troubleshooting: http://ts.veranoest.net >>>> *----------- Please reply in newsgroup -------------* >>>> >>>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008: >>>> >>>>> According to Microsoft documentation, Terminal Server Licensing >>>>> servers use RPC port 135 and a dynamic port over 1024. >>>>> Regarding the dynamic port, can someone tell me: >>>>> >>>>> 1) Is there a registry option we can use to place the dynamic >>>>> port on a specific fixed TCP port? If yes, what are the >>>>> details of that? >>>>> >>>>> 2) Is anyone here technical enough with the terminal server >>>>> licensing protocol that they can tell me the UUID of the >>>>> requested service associated with the dynamic port? >> >> > >
Recommended Posts