Application Dependencies for MSRPC

cancel
Showing results for 
Search instead for 
Did you mean: 

Application Dependencies for MSRPC

L2 Linker

Does anyone else feel that the application dependencies for MSRPC are incorrect?

PA currently lists MSRPC as dependent on MS-DS-SMB and NETBIOS-SS. However, those protocols are not actually necessary for MSRPC to work. They are distinct protocols with different purposes. To my mind, including those dependencies encourages administrators to include unnecessary access in security policy. For example, if I'm writing a rule to allow access to an Exchange server I don't normally want to give users the ability to map drives - Yet, this is what the dependencies are telling me I should do.

While I am quite comfortable with ignoring the warnings generated at commit time, I still feel it is a mistake to have these dependencies. I'm very interested in hearing other people's opinions.

5 REPLIES 5

Not applicable

Did you have a shot at 5.0 ?

Most of dependencies are gone Smiley Happy

Actually, the dependencies are still there. All that has happened is PAN devices will now implicitly add the 'needed' applications to a rule where an explicit application has dependencies. This actually increases my worry that more access would be granted than intended.

As I understand thats not entirely true.

The dependencies are only open for the amount of packets needed in order to detect the main application.

For example where you previously was forced to have both appx and web-browsing open forever you now only add appx and the web-browsing will only be allowed for the amount of packets needed to detect appx, if appx is not detected after this amount then the web-browsing session is denied.

Yes, but only for the first few packets needed to determine the underlying application.

I stand corrected on the behavior under 5.0+. Thanks. I feel a little better about the security of the devices now.

That still doesn't address my original question though. All of the documentation I've been able to find on the Internet indicates that MSRPC/DCM is a completely separate protocol. Is there truly a dependency between the MSRPC/DCOM and NETBIOS protocols? Is SMB really necessary for MSRPC to work?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!