topic Re: Application Dependencies for MSRPC in General Topics

Application Dependencies for MSRPC

yesitisme_007 — Mon, 11 Mar 2013 22:20:08 GMT

Does anyone else feel that the application dependencies for MSRPC are incorrect?

PA currently lists MSRPC as dependent on MS-DS-SMB and NETBIOS-SS. However, those protocols are not actually necessary for MSRPC to work. They are distinct protocols with different purposes. To my mind, including those dependencies encourages administrators to include unnecessary access in security policy. For example, if I'm writing a rule to allow access to an Exchange server I don't normally want to give users the ability to map drives - Yet, this is what the dependencies are telling me I should do.

While I am quite comfortable with ignoring the warnings generated at commit time, I still feel it is a mistake to have these dependencies. I'm very interested in hearing other people's opinions.

Re: Application Dependencies for MSRPC

BCH — Mon, 11 Mar 2013 22:49:27 GMT

Did you have a shot at 5.0 ?

Most of dependencies are gone

Re: Application Dependencies for MSRPC

yesitisme_007 — Mon, 11 Mar 2013 23:16:05 GMT

Actually, the dependencies are still there. All that has happened is PAN devices will now implicitly add the 'needed' applications to a rule where an explicit application has dependencies. This actually increases my worry that more access would be granted than intended.

Re: Application Dependencies for MSRPC

mikand — Mon, 11 Mar 2013 23:22:14 GMT

As I understand thats not entirely true.

The dependencies are only open for the amount of packets needed in order to detect the main application.

For example where you previously was forced to have both appx and web-browsing open forever you now only add appx and the web-browsing will only be allowed for the amount of packets needed to detect appx, if appx is not detected after this amount then the web-browsing session is denied.

Re: Application Dependencies for MSRPC

BCH — Tue, 12 Mar 2013 09:20:05 GMT

Yes, but only for the first few packets needed to determine the underlying application.

Re: Application Dependencies for MSRPC

yesitisme_007 — Tue, 12 Mar 2013 15:40:50 GMT

I stand corrected on the behavior under 5.0+. Thanks. I feel a little better about the security of the devices now.

That still doesn't address my original question though. All of the documentation I've been able to find on the Internet indicates that MSRPC/DCM is a completely separate protocol. Is there truly a dependency between the MSRPC/DCOM and NETBIOS protocols? Is SMB really necessary for MSRPC to work?