Does anyone else feel that the application dependencies for MSRPC are incorrect? PA currently lists MSRPC as dependent on MS-DS-SMB and NETBIOS-SS. However, those protocols are not actually necessary for MSRPC to work. They are distinct protocols with different purposes. To my mind, including those dependencies encourages administrators to include unnecessary access in security policy. For example, if I'm writing a rule to allow access to an Exchange server I don't normally want to give users the ability to map drives - Yet, this is what the dependencies are telling me I should do. While I am quite comfortable with ignoring the warnings generated at commit time, I still feel it is a mistake to have these dependencies. I'm very interested in hearing other people's opinions.
... View more