4

I just ran an nmap scan against our network, and many Windows 7 machines have several high ports listening with Microsoft Windows RPC. Example:

Port   Serv  Process name
49152, msrpc [wininit.exe]
49153, msrpc [svchost.exe, Eventlog]
49154, msrpc [svchost.exe, Schedule]
49155, msrpc [lsass.exe]
49157, msrpc [services.exe]
49159, msrpc [svchost.exe, PolicyAgent]

For security reasons, I would like to close any listening service that is not needed, or at least block the ports in question using the Windows FW.

I realize that the processes above are system processes that I cannot close, but perhaps there is some configuration that can be done to prevent them from listening?

Lastly, not sure if relevant, but we do not use any domains or Active Directory - only a workgroups against a Samba server.

So, my questions are:

  1. What are the listening services needed for in general?
  2. In my scenario, can I disable them somehow (=make them not listen)?
  3. If #2 is not doable, can I safely block them with the FW?

Thanks.

Jim Balo
  • 271
  • 2
  • 4
  • 12
  • This link has some good info about how Windows uses a portmapper for RPC: http://etutorials.org/Networking/network+security+assessment/Chapter+9.+Assessing+Windows+Networking+Services/9.2+Microsoft+RPC+Services/ – adric Jul 26 '13 at 18:41
  • Thanks for the link, but it appears to mainly deal with port 135, etc. not the high 49000+ ports listed above. Any info on this particular usage (seems to have started with Windows 7)? – Jim Balo Jul 26 '13 at 19:17

2 Answers2

7
  • Port 49152 provides the ability to shut the computer down remotely via the shutdown.exe tool. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRemoteShutdownRPCInterface=1
  • Port 49153 allows remote viewing of the Event Log. I don't know how to disable it yet.
  • Port 49154 allows remote viewing and administration of Scheduled Tasks. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\DisableRpcOverTcp=1
  • Port 49155: I'm not sure what it does or how to disable it.
  • Port 49157 allows remote viewing and administration of Local Services. It can be disabled by writing registry DWord HKLM\System\CurrentControlSet\Control\DisableRPCOverTCP=1
  • Port 49159: I have not seen this one on end user computers.

You can disable all the RPC ports by following these steps:

  1. Make sure you have disabled all the disableable RPCs listed above.
  2. Delete HKLM\Software\Microsoft\Rpc\Internet
  3. Write HKLM\Software\Microsoft\Rpc\Internet\UseInternetPorts="N"

Unfortunately, completely disabling the RPC ports breaks the Print Spooler in Windows 8 and later. To re-enable, just repeat step 2 above.

Techie007
  • 71
  • 1
  • 3
  • I have remote viewed Event Log on a computer that is not listening on 49153, and does not show it being open. I don't think it relates to Event Viewer. However, if you run netstat, it does mention eventlog: `[wininit.exe] TCP [::]:49153 [::]:0 LISTENING eventlog` For my 49152, netstat mentioned Dropbox. – Tyler Montney Aug 30 '17 at 20:03
3

A variety of Windows services listen on dynamic RPC ports, like you found out. These usually correspond to services in the Services list. However, some of them are services you really don't want to turn off. When that happens, you need to use the build in Windows firewall to prevent access. They're still listening, but nothing can get at them, which allows them to pass network audits.

The MS Dynamic RPC range did change as of Vista, to 49152-65535. You can even adjust the range if you need to:

netsh int ipv4 set dynamic tcp start=49152 number=50  # yields a range of 49152-49202
sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • In the Windows Firewall, are these dynamic local TCP ports all named "RPC Dynamic Endpoint"? Are "RPC Endpoint Mapper" also included in this range? Thanks. – Jim Balo Jul 27 '13 at 05:41