How to configure RPC to use certain ports and how to help secure those ports by using IPsec (2024)

Table of Contents
Summary More Information Relocate and reduce the RPC dynamic port range by using RPCCfg.exe Use an IPsec or firewall policy to block access to the vulnerable ports on the affected host Block access to the RPC Endpoint Mapper for all IP addresses Block access to the RPC dynamic port range for all IP addresses Optional: Give access to the RPC Endpoint Mapper for specific subnets if access is needed Optional: Give access to the new RPC dynamic port range for specific subnets if access is needed Assign the IPsec policy FAQs

Summary

This article describes how to configure RPC to use a specific dynamic port range and how to help secure the ports in that range by using an Internet Protocol security (IPsec) policy. By default, RPC uses ports in the ephemeral port range (1024-5000) when it assigns ports to RPC applications that have to listen on a TCP endpoint. This behavior can make restricting access to these ports challenging for network administrators. This article discusses ways to reduce the number of ports available to RPC applications and how to restrict access to these ports by using a registry-based IPsec policy.

Because the steps in this article involve computer-wide changes that require the computer to be restarted, all these steps should be performed first in nonproduction environments to identify any application-compatibility issues that may occur as the result of these changes.

More Information

There are multiple configuration tasks that must be completed in order to relocate, reduce, and restrict access to RPC ports.

First, the RPC dynamic port range should be restricted to a smaller, more manageable port range that is easier to block by using a firewall or IPsec policy. By default, RPC dynamically allocates ports in the range of 1024 to 5000 for endpoints that do not specify a port on which to listen.

Note
This article uses the port range of 5001 to 5021. This reduces the number of ports that are available to RPC endpoints from 3,976 to 20. The number of ports was selected arbitrarily and is not a recommendation for the number of ports that are needed for any specific system.

Next, an IPsec policy must be created to restrict access to this port range to deny access to all hosts on the network.

Finally, the IPsec policy can be updated to give certain IP addresses or network subnets access to the blocked RPC ports and to exclude all others.

To start the task of reconfiguring the RPC dynamic port range, download the RPC Configuration Tool (RPCCfg.exe), and then copy it to the workstation or to the server that will be reconfigured. To do this, visit the following Microsoft Web site:

To perform the subsequent tasks of creating an IPsec policy, download the Internet Protocol Security Policies Tool (Ipsecpol.exe), and then copy it to the workstation or to the server that will be reconfigured. To do this, visit the following Microsoft Web site:

Note To create an IPsec policy for Microsoft Windows XP or for a later version of the Windows operating system, use Ipseccmd.exe. Ipseccmd.exe is part of the Windows XP support tools. The syntax and usage of IPseccmd.exe are the same as the syntax and usage of Ipsecpol.exe. For more information about the Windows XP support tools, click the following article number to view the article in the Microsoft Knowledge Base:

838079 Windows XP Service Pack 2 Support Tools

Relocate and reduce the RPC dynamic port range by using RPCCfg.exe

To relocate and reduce the RPC dynamic port range by using RPCCfg.exe, follow these steps:

  1. Copy RPCCfg.exe to the server that is to be configured

  2. At the command prompt, type rpccfg.exe -pe 5001-5021 -d 0.
    Note This port range is recommended for use by RPC endpoints because ports in this range are not likely to be allocated for use by other applications. By default, RPC uses the port range of 1024 to 5000 for allocating ports for endpoints. However, ports in this range are also dynamically allocated for use by the Windows operating system for all Windows sockets applications and can be exhausted on heavily used servers such as terminal servers and middle-tier servers that make many outgoing calls to remote systems.

    For example, when Internet Explorer contacts a Web server on port 80, it listens on a port in the 1024-5000 range for the response from the server. A middle-tier COM server that makes outgoing calls to other remote servers also uses a port in this range for the incoming reply to that call. Moving the range of ports that RPC uses for its endpoints to the 5001 port range will reduce the chance that these ports will be used by other applications.
    For more information about ephemeral port usage in Windows operating systems, visit the following Microsoft Web sites.

Use an IPsec or firewall policy to block access to the vulnerable ports on the affected host

In the commands in the following section, any text that appears between percent (%) signs is intended to represent text in the command that must be entered by the person who creates the IPsec policy. For example, wherever the text "%IPSECTOOL%" appears, the person who creates the policy should substitute that text as follows:

  • For Windows 2000, substitute "%IPSECTOOL%" with "ipsecpol.exe."

  • For Windows XP or a later version of Windows, substitute "%IPSECTOOL%" with "ipseccmd.exe."

For more information about how to use IPsec to block ports, click the following article number to view the article in the Microsoft Knowledge Base:

813878 How to block specific network protocols and ports by using IPSec

Block access to the RPC Endpoint Mapper for all IP addresses

To block access to the RPC Endpoint Mapper for all IP addresses, use the following syntax.

Note On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000). 

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

Note Do not type "%IPSECTOOL%" in this command. "%IPSECTOOL%" is intended to represent the part of the command that must be customized. For example, on Windows 2000, type the following command from a directory that contains Ipsecpol.exe to block all incoming access to TCP 135:

ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

On Windows XP and on later operating systems, type the following command from a directory that contains Ipseccmd.exe to block all incoming access to TCP 135:

ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 135 Rule" -f *=0:135:TCP -n BLOCK

Block access to the RPC dynamic port range for all IP addresses

To block access to the RPC dynamic port range for all IP addresses, use the following syntax.

Note On Windows XP and on later operating systems, use Ipseccmd.exe. On Windows 2000, use Ipsecpol.exe (Windows 2000). 

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Block Inbound TCP %PORT% Rule" -f *=0:%PORT%:TCP -n BLOCK

Note Do not type "%IPSECTOOL%" or "%PORT%" in this command. "%IPSECTOOL%" and "%PORT%" are intended to represent parts of the command that must be customized. For example, type the following command on Windows 2000 hosts to block all incoming access to TCP 5001:

ipsecpol.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK

To block all incoming access to TCP 5001, type the following command on Windows XP hosts and on hosts of later Windows operating systems:

ipseccmd.exe -w REG -p "Block RPC Ports" -r "Block Inbound TCP 5001 Rule" -f *=0:5001:TCP -n BLOCK

Repeat this command for each RPC port that must be blocked by changing the port number that is listed in this command. Ports that must be blocked are in the 5001-5021 range.

Note Do not forget to change the port number in the rule name (the -r switch) and in the filter (the -f switch).

See Also
I am trying to connect a second monitor to a computer with only a 9 point 10101 A port

Optional: Give access to the RPC Endpoint Mapper for specific subnets if access is needed

If you must give specific subnets access to the restricted RPC ports, you must first give these subnets access to the RPC Endpoint Mapper that you blocked earlier. To give a specific subnet access to the RPC Endpoint Mapper, use the following command:

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP 135 from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:135:TCP -n PASS

Note In this command, the following statements apply:

  • "%IPSECTOOL%" represents the command to use. This command is either "ipsecpol.exe" or "ipseccmd.exe." Which command is used depends upon which operating system you are configuring.

  • "%SUBNET%" represents the remote IP subnet to which you want to give access, for example, 10.1.1.0.

  • "%MASK%" represents the subnet mask to use, for example, 255.255.255.0.

    For example, the following command enables all hosts from the 10.1.1.0/255.255.255.0 subnet to connect to port TCP 135. All other hosts will have their connections denied by the default block rule that was created earlier for this port.

    %IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 135 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:135:TCP -n PASS

Optional: Give access to the new RPC dynamic port range for specific subnets if access is needed

Each subnet that was given access to the RPC Endpoint Mapper earlier should also be given access to all the ports in the new RPC dynamic port range (5001-5021).

If you enable subnets to reach the RPC Endpoint Mapper but not the dynamic port range, the application may stop responding, or you may experience other problems.

The following command gives a specific subnet access to a port in the new RPC dynamic port range:

%IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP %PORT% from %SUBNET% Rule" -f %SUBNET%/%MASK%=0:%PORT%:TCP -n PASS

Note In this command, the following statements apply:

  • "%IPSECTOOL%" represents the command to use. This command is either "ipsecpol.exe" or "ipseccmd.exe." Which command is used depends upon which operating system you are configuring.

  • "%PORT%" represents the port in the dynamic port range to which to give access.

  • "%SUBNET%" represents the remote IP subnet to which you want to give access, for example, 10.1.1.0.

  • "%MASK%" represents the subnet mask to use, for example, 255.255.255.0.

    For example, the following command enables all hosts from the 10.1.1.0/255.255.255.0 subnet to connect to port TCP 5001. All other hosts will have their connections denied by the default block rule that was created earlier for this port.

    %IPSECTOOL% -w REG -p "Block RPC Ports" -r "Allow Inbound TCP Port 5001 from 10.1.1.0 Rule" -f 10.1.1.0/255.255.255.0=0:5001:TCP -n PASS

Note This command should be repeated for each subnet and port in the new RPC dynamic port range.

Assign the IPsec policy

Note The commands in this section take effect immediately.

After you create all the block rules and all the optional allow rules for the configured RPC ports, assign the policy by using the following command:

%IPSECTOOL% -w REG -p "Block RPC Ports" –x

Note To immediately unassign the policy, use the following command:

%IPSECTOOL% -w REG -p "Block RPC Ports" –y

Note To delete the policy from the registry, use the following command:

%IPSECTOOL% -w REG -p "Block RPC Ports" -o

You must restart the host for the changes to take effect.

Notes

  • The RPC configuration changes require a restart.

  • The IPsec policy changes take effect immediately and do not require a restart.

After the workstation or server restarts, any RPC interfaces that use the ncacn_ip_tcp protocol sequence and do not specify a specific TCP port to which to bind will have a port allocated from this range by the RPC runtime when the RPC server starts.

Note The server may require more than 20 TCP ports. You can use the rpcdump.exe command to count the number of RPC endpoints that are bound to a TCP port and to increase this number if you must. For more information about how to obtain the RPC Dump tool, visit the following Microsoft Web site:

I'm an expert in Windows networking and security, particularly in configuring Remote Procedure Call (RPC) and implementing Internet Protocol security (IPsec) policies. My knowledge is based on extensive experience with Microsoft technologies and a deep understanding of network protocols and security measures.

The article you provided discusses how to configure RPC to use a specific dynamic port range and secure those ports using an IPsec policy. Let me break down the concepts used in the article:

  1. RPC (Remote Procedure Call):

    • RPC is a protocol that one program can use to request a service from a program on another computer within a network.
    • By default, RPC uses ports in the ephemeral port range (1024-5000) for allocating ports to RPC applications.

  2. Dynamic Port Range Configuration with RPCCfg.exe:

    • To relocate and reduce the RPC dynamic port range, the article recommends using the RPC Configuration Tool (RPCCfg.exe).
    • In this case, the article suggests using the port range of 5001 to 5021, reducing the number of available ports from 3,976 to 20.

  3. IPsec Policy Implementation:

    • An IPsec policy is used to restrict access to the newly configured port range.
    • IPsec policies help in enforcing security measures, and the article provides information on how to create, update, and assign these policies.
    • Commands involving Ipsecpol.exe or Ipseccmd.exe are used to block access to specific ports and protocols, such as TCP 135 and the RPC dynamic port range.

  4. Blocking Access to RPC Ports:

    • The article provides commands to block access to the RPC Endpoint Mapper (TCP 135) and the RPC dynamic port range for all IP addresses.
    • The goal is to enhance security by denying access to these ports, making it more challenging for unauthorized entities to exploit vulnerabilities.

  5. Optional: Allowing Access for Specific Subnets:

    • The article includes optional steps to grant access to specific subnets for both TCP 135 and the new RPC dynamic port range.
    • This allows network administrators to define exceptions for certain subnets while maintaining a secure environment.

  6. Assigning and Managing IPsec Policy:

    • Commands for assigning, unassigning, and deleting the IPsec policy from the registry are provided.
    • The article emphasizes the need to restart the host for RPC configuration changes to take effect, but IPsec policy changes take effect immediately.

  7. Additional Notes:

    • The article concludes with notes on the necessity of restarting the host after RPC configuration changes and the immediate effect of IPsec policy changes.
    • It mentions using the rpcdump.exe command to count the number of RPC endpoints bound to a TCP port, allowing adjustments if needed.

In summary, the article provides a comprehensive guide on configuring RPC port ranges, implementing IPsec policies, and enhancing the security of Windows networking environments. The steps outlined aim to strike a balance between functionality and security in RPC configurations.

How to configure RPC to use certain ports and how to help secure those ports by using IPsec (2024)

FAQs

How to configure RPC to use certain ports? ›

Add rule to allow traffic to the RPC Dynamic Ports
  1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP > Inbound Rules.
  2. Right-click and choose New Rule.
  3. Choose Custom and click Next.

Read On
How to configure RPC connection settings? ›

Configuring RPC communication for Windows Print components
  1. Enable by using Group Policy: Path: Computer Configuration > Administrative Templates > Printers > Configure RPC connection Settings. ...
  2. Enable the setting by using the registry:
Dec 26, 2023

Discover More Details
What ports are used for RPC communication? ›

By default, RPC uses ports in the ephemeral port range (1024-5000) when it assigns ports to RPC applications that have to listen on a TCP endpoint.

Continue Reading
How do I check my RPC ports? ›

You can test the RPC connection using the PortQry tool. This tool tests the RPC Server and also queries the host port and gets a list of ports and the status of the ports. In addition, this tool will get a list of RPC Dynamic ports via the RPC mapper. Run this tool by using the command prompt.

See Details
What is RPC and how does it work? ›

In the RPC model, the client makes a procedure call to send a data packet to the server. When the packet arrives, the server calls a dispatch routine, performs whatever service is requested, and sends a reply back to the client. The procedure call then returns to the client.

Find Out More
How do I allow certain ports? ›

How to open a port on the firewall
  1. Click on Start then on Control Panel.
  2. Click on Windows Firewall and then click on Advanced Settings.
  3. Right click on Inbound Rules then on New Rule:
  4. Select Port and click on Next:
  5. Enter a specific local port (e.g. 8080) and click on Next:
  6. Click on Next:
  7. Name the rule and click on Finish:
Jun 16, 2023

Tell Me More
What is RPC settings? ›

A Remote Procedure Call (RPC) is a software communication protocol that one program uses to request a service from another program located on a different computer and network, without having to understand the network's details.

Show Me More
How do I activate RPC? ›

Method 1. Make sure the RPC services are running
  1. Open the search bar in your taskbar by clicking on the magnifying glass icon. ...
  2. Type in Services and click on the first search result.
  3. Scroll down and locate the Remote Procedure Call (RPC) service from the list. ...
  4. Ensure that the Startup type is set to Automatic.
Mar 25, 2021

Explore More
How do I fix RPC problems? ›

If step 1 doesn't work, then move to step 2.
  1. Ensure all RPC services are running on your PC.
  2. Check RPC isn't blocked by your firewall.
  3. Boot using normal startup.
  4. Enable IPv6 and file & printer sharing.
  5. Flush your DNS cache.
  6. Edit your registry settings.
  7. Reset your PC.

Continue Reading
Is RPC port TCP or UDP? ›

Generally, RPC applications will use UDP when sending data, and only fall back to TCP when the data to be transferred doesn't fit into a single UDP datagram. Of course, client programs have to have a way to find out which port a program number maps to.

Show Me More

Is RPC same as TCP? ›

TCP (Transmission Control Protocol) is a delivery protocol (i.e. how can we have a conversation between two places). RPC (Remote Procedure Call) describes how the messages should be treated (i.e. how each side should talk).

Read The Full Story
What is the default RPC port number? ›

Default Port Numbers
PortIPDescription
80TCPDefault port for browser access.
161UDPInbound GET requests using SNMP.
162UDPOutbound SNMP TRAPs.
123TCPConnection from library to an external NTP server.
10 more rows

See Details
How do I know if my RPC is running? ›

To check whether the RPC and WMI Services are running in the remote machine:
  1. In the remote machine, go to Start → Run → services. msc.
  2. Check whether the services Remote Procedure Call and Windows Management Instrumentation are running. If not, start those services.

Get More Info Here
How do I identify my ports? ›

How to find ports being used in Windows
  1. Open Command Prompt by typing cmd in the search box.
  2. Enter ipconfig at the prompt This provides you with some outputs about your IP address. ...
  3. Now, type netstat -a for a list of connections and port numbers that are currently being used.

Continue Reading
How do I check if a port is open on a remote server? ›

Enter "telnet + IP address or hostname + port number" (e.g., telnet www.example.com 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status. If the port is open, only a cursor will show.

View More
How do I specify a port in Remote Desktop? ›

To Alter the Port on the client side:
  1. Go to the Start menu and click on Run.
  2. On the Run menu type MSTSC and click Enter.
  3. In the RDP window, in the Computer box, scroll to the computer name or IP to which you wish to connect.
  4. Add a “:Port” (without the quotes) where “Port” is the decimal value of the destination port.

View Details
What is port 49152 to 65535? ›

Dynamic ports, also known as private or ephemeral ports, include ports 49152 to 65535 and are never assigned.

See More
How to specify a port for the asp net development server? ›

To specify a port for the ASP.NET Development Server:
  1. In Solution Explorer, click the name of the application.
  2. In the Properties pane, click the down-arrow beside Use dynamic ports and select False from the dropdown list. ...
  3. In the Properties pane, click the text box beside Port number and type in a port number.
Jan 30, 2014

Learn More
Does RPC use port 135? ›

Remote Procedure Call (RPC) port 135 is used in client/server applications (might be on a single machine) such as Exchange clients, the recently exploited messenger service, as well as other Windows NT/2K/XP software.

Discover More Details
Top Articles
[How to] Make your own vegetable broth or stock using kitchen scraps | 1 Million Women
Your Money: Messing with a home loan during bankruptcy is a perilous game
Craigslist Livingston Montana
Foxy Roxxie Coomer
Encore Atlanta Cheer Competition
Dairy Queen Lobby Hours
Euro (EUR), aktuální kurzy měn
What is Mercantilism?
Voorraad - Foodtrailers
Jennette Mccurdy And Joe Tmz Photos
Sportsman Warehouse Cda
Premier Boating Center Conroe
Large storage units
Urban Dictionary Fov
Nitti Sanitation Holiday Schedule
Maplestar Kemono
Paradise leaked: An analysis of offshore data leaks
Wal-Mart 140 Supercenter Products
Kylie And Stassie Kissing: A Deep Dive Into Their Friendship And Moments
Jang Urdu Today
Nordstrom Rack Glendale Photos
Culver's Flavor Of The Day Taylor Dr
The Weather Channel Local Weather Forecast
Evil Dead Rise Showtimes Near Pelican Cinemas
Marion City Wide Garage Sale 2023
PCM.daily - Discussion Forum: Classique du Grand Duché
Xxn Abbreviation List 2023
Pioneer Library Overdrive
Hannah Jewell
The Rise of "t33n leaks": Understanding the Impact and Implications - The Digital Weekly
Delta Rastrear Vuelo
Hotel Denizen Mckinney
Att U Verse Outage Map
El agente nocturno, actores y personajes: quién es quién en la serie de Netflix The Night Agent | MAG | EL COMERCIO PERÚ
Free Robux Without Downloading Apps
Why The Boogeyman Is Rated PG-13
How Much Is Mink V3
2008 Chevrolet Corvette for sale - Houston, TX - craigslist
To Give A Guarantee Promise Figgerits
The Complete Guide To The Infamous "imskirby Incident"
Dmitri Wartranslated
Busch Gardens Wait Times
1v1.LOL Game [Unblocked] | Play Online
Telugu Moviez Wap Org
Search All of Craigslist: A Comprehensive Guide - First Republic Craigslist
Sam's Club Gas Prices Florence Sc
814-747-6702
Dragon Ball Super Super Hero 123Movies
Plumfund Reviews
Joy Taylor Nip Slip
Latest Posts
5 WAYS TO INVEST $1,000 TODAY
This Virginia woman bought an ‘unlivable’ house for $18K in 2020 and transformed it into her dream home — here's how to invest in real estate if you're priced out of the current market
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 6689

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.