About SMB and MS-RPC

MS-RPC

MS-RPC is a proprietary Windows protocol based on the DCE / RPC standard. It is a dynamic port protocol like rpcbind or portmap under Linux. That is to say that the first connection is made on port 135 then the client is redirected to another dynamically opened port in the allowed range (default 49152 to 65535).

This mode of operation is no longer in fashion today. It requires to open wide port ranges on the firewalls of servers and inter-site routers.

It is used to replicate LDAP directories across Active Directory servers.

Ports used for a correct functioning of MSRPC

Port

Usage

135

TCP

49152 to 65535 (>= win2008R2)

Default port range for RPC services over TCP

1025 to 5000 (<win2k et win2k3)

Dynamic port range on older versions of Windows

SMB

The SMB protocol allows communication between processes. It is therefore the protocol that allows applications and services on networked computers to talk to each other. We could also say that SMB is one of the languages used by computers to talk.

Ports used for a correct functioning of SMB

Port

Usage

139

SMB over NetBIOS over TCP/IP

445

SMB over TCP/IP

Hint

How can we ensure the security of these ports?

Leaving the network ports open for applications to run is a risk. So how do we keep our networks protected and our applications available and running? Here are several solutions to protect these two important and well-known ports:

  • Set up a firewall or endpoint protection to keep these ports safe from hackers. Most solutions include a blacklist to block connections from known hacker IP addresses.

  • Set up a VPN to encrypt and protect network traffic.

  • Set up VLANs to isolate internal network traffic.

  • Use MAC address filtering to prevent unknown systems from accessing the network. This tactic requires a great deal of management work to keep the list up to date.