Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP

• Previous message: Ron DuFresne: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• In reply to: Daniel Sichel: "[Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Next in thread: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Reply: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Reply: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Wed, 13 Oct 2004 16:44:42 -0400

You need protocol level inspection (i.e. beyond SPI) if you're going
to monitor that kind of traffic.

Also, the support for RPC over HTTP (should really be HTTPS) is not as
open ended as you might fear.

Look at the following:
http://www.google.com/search?q=RPC%20over%20HTTPS%20implement

- ASB
  Cheap, Fast, Secure -- Pick Any TWO.
  http://www.ultratech-llc.com/KB/

On Tue, 12 Oct 2004 12:41:56 -0700, Daniel Sichel
<daniels@ponderosatel.com> wrote:
> This may just reflect my ignorance, but I read (and found hard to
> believe) that Microsoft has implemented RPC over HTTP. Is this not a
> HUGE security hole? If I understand it correctly it means that good old
> HTML or XML can invoke a process using standard web traffic (port 80)?
> Is there any permission checking done? what things can be invoked by RPC
> over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am
> I right, and if so, how can I detect RPCs in web traffic to block this
> junk? Can ANY stateful packet filter see this stuff or is the pattern
> too broad in allowed RPCs?
>
> Again, I hope this is not a stupid question or inappropriate format for
> this, as somebody else recently said, there is already enough noise on
> this list. I would hate to see this list degenerate, it has been REALLY
> valuable to me as a network engineer on occaison.
>
> Thanks all,
> Dan Sichel
> Ponderosa telephone
> daniels@ponderosatel.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Ron DuFresne: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• In reply to: Daniel Sichel: "[Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Next in thread: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Reply: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Reply: S G Masood: "Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: rpc over http woes.. single exchange server 2 DC controllers 1 of which is a GC ... you can enable RPC over HTTP connection on your ... > Exchange server, which is neither a DC nor a front-end server. ... > Microsoft Online Partner Support ... (microsoft.public.exchange.admin) RE: RPC over HTTP ... NTLM and Basic Authentication for RPC over HTTP: ... TCP port to connect Exchange server by Outlook, it is easy to go through ... (microsoft.public.windows.server.sbs) RE: Outlook RPC over HTTp deosnt work ... try to use RPC over HTTP to connect the Exchange Server. ... What SBS is running on the problematic Server? ... (microsoft.public.windows.server.sbs) Re: RPC over HTTP Question ... allow specific traffic transfer and publish some web services to internet. ... On the Web Server Certificate page, ... The wizard automatically configures Exchange, IIS, and the RPC proxy ... >Subject: Re: RPC over HTTP Question ... (microsoft.public.windows.server.sbs) Re: ISA 2K Recommendation Firewall vs Integrated Mode ... I believe you've confused publishing "RPC over HTTP" with publishing RPC. ... The session is terminated at the ISA and a brand new one established from the ISA to the upstream server. ... cache mode support only 3 protocols ... (microsoft.public.isa)