Information on Dynamic Port Used by Terminal Services

W

Will

According to Microsoft documentation, Terminal Server Licensing servers use
RPC port 135 and a dynamic port over 1024. Regarding the dynamic port,
can someone tell me:

1) Is there a registry option we can use to place the dynamic port on a
specific fixed TCP port? If yes, what are the details of that?

2) Is anyone here technical enough with the terminal server licensing
protocol that they can tell me the UUID of the requested service associated
with the dynamic port?

--
Will
 
V

Vera Noest [MVP]

This should help you which Q1. It's not as simple as a registry
key, though.

How to configure RPC to use certain ports and how to help secure
those ports by using IPsec
http://support.microsoft.com/kb/908472/en-us

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

"Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:

> According to Microsoft documentation, Terminal Server Licensing
> servers use RPC port 135 and a dynamic port over 1024.
> Regarding the dynamic port, can someone tell me:
>
> 1) Is there a registry option we can use to place the dynamic
> port on a specific fixed TCP port? If yes, what are the
> details of that?
>
> 2) Is anyone here technical enough with the terminal server
> licensing protocol that they can tell me the UUID of the
> requested service associated with the dynamic port?
 
W

Will

Reducing the RPC range still leaves a range. It is really just like having
no security at all since any application that is RPC based can still run
through that range.

With many applications, Microsoft thoughtfully provides a registry key that
lets you fix the RPC application service to a fixed port. That's very
firewall friendly and works great. I was really hoping that the terminal
server licensing might provide something similar (perhaps not well
documented). I wish Microsoft would offer such an option on every single
service it publishes by RPC, as a matter of a design requirement. It
would make securing these boxes so much easier.

Whether you use IPSec, or a regular firewall, the point is that any server
that needs even one RPC service on the target server would need to be given
access to the range of RPC ports, which really isn't security. What we
do with domain controllers behind firewalls, which works great, is to fix
three specific RPC services to fixed ports, and then we lock the firewall to
access only RPC 135 and those three ports. No other ports are allowed.
That approach is approaching secure because you can control which N number
of RPC services are directly accessed by any host. If some other RPC
service starts on the target host, the person who wants access can get its
port number through the RPC port 135 mapper, but they cannot get to the
actual service through the firewall.

I can debug the UUID with a sniffer, and ISA Server has a nice feature that
lets you restrict RPC access to a specific UUID. But that's complex and in
our experience it can sometimes break the service (apparently the
implementation of this idea has some potential bugs or design limitation).
It's time consuming to implement and to debug as well.

--
Will


"Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...
> This should help you which Q1. It's not as simple as a registry
> key, though.
>
> How to configure RPC to use certain ports and how to help secure
> those ports by using IPsec
> http://support.microsoft.com/kb/908472/en-us
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:
>
>> According to Microsoft documentation, Terminal Server Licensing
>> servers use RPC port 135 and a dynamic port over 1024.
>> Regarding the dynamic port, can someone tell me:
>>
>> 1) Is there a registry option we can use to place the dynamic
>> port on a specific fixed TCP port? If yes, what are the
>> details of that?
>>
>> 2) Is anyone here technical enough with the terminal server
>> licensing protocol that they can tell me the UUID of the
>> requested service associated with the dynamic port?
 
W

Will

I traced a terminal server against the terminal server licensing, and to my
surprise none of the RPC dynamic ports was contacted. Instead, the entire
protocol for licensing looks like it happens over port 445.

Can someone confirm for me: are all RPC services runnable through port 445
directly, without contacting the dynamic RPC port? Or did Microsoft
implement something extra just for terminal services licensing that allows
it to work over port 445?

--
Will


"Will" <westes-usc@noemail.nospam> wrote in message
news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...
> Reducing the RPC range still leaves a range. It is really just like
> having no security at all since any application that is RPC based can
> still run through that range.
>
> With many applications, Microsoft thoughtfully provides a registry key
> that lets you fix the RPC application service to a fixed port. That's
> very firewall friendly and works great. I was really hoping that the
> terminal server licensing might provide something similar (perhaps not
> well documented). I wish Microsoft would offer such an option on every
> single service it publishes by RPC, as a matter of a design requirement.
> It would make securing these boxes so much easier.
>
> Whether you use IPSec, or a regular firewall, the point is that any server
> that needs even one RPC service on the target server would need to be
> given access to the range of RPC ports, which really isn't security.
> What we do with domain controllers behind firewalls, which works great, is
> to fix three specific RPC services to fixed ports, and then we lock the
> firewall to access only RPC 135 and those three ports. No other ports
> are allowed. That approach is approaching secure because you can control
> which N number of RPC services are directly accessed by any host. If
> some other RPC service starts on the target host, the person who wants
> access can get its port number through the RPC port 135 mapper, but they
> cannot get to the actual service through the firewall.
>
> I can debug the UUID with a sniffer, and ISA Server has a nice feature
> that lets you restrict RPC access to a specific UUID. But that's complex
> and in our experience it can sometimes break the service (apparently the
> implementation of this idea has some potential bugs or design limitation).
> It's time consuming to implement and to debug as well.
>
> --
> Will
>
>
> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in message
> news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...
>> This should help you which Q1. It's not as simple as a registry
>> key, though.
>>
>> How to configure RPC to use certain ports and how to help secure
>> those ports by using IPsec
>> http://support.microsoft.com/kb/908472/en-us
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> *----------- Please reply in newsgroup -------------*
>>
>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:
>>
>>> According to Microsoft documentation, Terminal Server Licensing
>>> servers use RPC port 135 and a dynamic port over 1024.
>>> Regarding the dynamic port, can someone tell me:
>>>
>>> 1) Is there a registry option we can use to place the dynamic
>>> port on a specific fixed TCP port? If yes, what are the
>>> details of that?
>>>
>>> 2) Is anyone here technical enough with the terminal server
>>> licensing protocol that they can tell me the UUID of the
>>> requested service associated with the dynamic port?
 
J

Jeff Pitsch

Are you in per user or per device mode? That may make a difference since
per user doesn't actually do anything while per device actually returns
information.

Jeff Pitsch
Microsoft MVP - Terminal Services


"Will" <westes-usc@noemail.nospam> wrote in message
news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com...
>I traced a terminal server against the terminal server licensing, and to my
>surprise none of the RPC dynamic ports was contacted. Instead, the
>entire protocol for licensing looks like it happens over port 445.
>
> Can someone confirm for me: are all RPC services runnable through port
> 445 directly, without contacting the dynamic RPC port? Or did
> Microsoft implement something extra just for terminal services licensing
> that allows it to work over port 445?
>
> --
> Will
>
>
> "Will" <westes-usc@noemail.nospam> wrote in message
> news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...
>> Reducing the RPC range still leaves a range. It is really just like
>> having no security at all since any application that is RPC based can
>> still run through that range.
>>
>> With many applications, Microsoft thoughtfully provides a registry key
>> that lets you fix the RPC application service to a fixed port. That's
>> very firewall friendly and works great. I was really hoping that the
>> terminal server licensing might provide something similar (perhaps not
>> well documented). I wish Microsoft would offer such an option on every
>> single service it publishes by RPC, as a matter of a design requirement.
>> It would make securing these boxes so much easier.
>>
>> Whether you use IPSec, or a regular firewall, the point is that any
>> server that needs even one RPC service on the target server would need to
>> be given access to the range of RPC ports, which really isn't security.
>> What we do with domain controllers behind firewalls, which works great,
>> is to fix three specific RPC services to fixed ports, and then we lock
>> the firewall to access only RPC 135 and those three ports. No other
>> ports are allowed. That approach is approaching secure because you can
>> control which N number of RPC services are directly accessed by any host.
>> If some other RPC service starts on the target host, the person who wants
>> access can get its port number through the RPC port 135 mapper, but they
>> cannot get to the actual service through the firewall.
>>
>> I can debug the UUID with a sniffer, and ISA Server has a nice feature
>> that lets you restrict RPC access to a specific UUID. But that's
>> complex and in our experience it can sometimes break the service
>> (apparently the implementation of this idea has some potential bugs or
>> design limitation). It's time consuming to implement and to debug as
>> well.
>>
>> --
>> Will
>>
>>
>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in
>> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...
>>> This should help you which Q1. It's not as simple as a registry
>>> key, though.
>>>
>>> How to configure RPC to use certain ports and how to help secure
>>> those ports by using IPsec
>>> http://support.microsoft.com/kb/908472/en-us
>>>
>>> _________________________________________________________
>>> Vera Noest
>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>> TS troubleshooting: http://ts.veranoest.net
>>> *----------- Please reply in newsgroup -------------*
>>>
>>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:
>>>
>>>> According to Microsoft documentation, Terminal Server Licensing
>>>> servers use RPC port 135 and a dynamic port over 1024.
>>>> Regarding the dynamic port, can someone tell me:
>>>>
>>>> 1) Is there a registry option we can use to place the dynamic
>>>> port on a specific fixed TCP port? If yes, what are the
>>>> details of that?
>>>>
>>>> 2) Is anyone here technical enough with the terminal server
>>>> licensing protocol that they can tell me the UUID of the
>>>> requested service associated with the dynamic port?
>
>
 
W

Will

We are in per device mode since more than one user shares the same
terminals.

I guess my general question though wasn't
terminal-server-licensing-specific. Is someone able to run *all* RPC
services through port 445? Or are the interfaces being accessed through
445 completely independent of the ones through a normal RPC (port 135 +
dynamic port)?

--
Will

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
news:OAP1FDL9IHA.3612@TK2MSFTNGP04.phx.gbl...
> Are you in per user or per device mode? That may make a difference since
> per user doesn't actually do anything while per device actually returns
> information.
>
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
>
> "Will" <westes-usc@noemail.nospam> wrote in message
> news:9pidnRdYQZfFTg7VnZ2dnUVZ_iydnZ2d@giganews.com...
>>I traced a terminal server against the terminal server licensing, and to
>>my surprise none of the RPC dynamic ports was contacted. Instead, the
>>entire protocol for licensing looks like it happens over port 445.
>>
>> Can someone confirm for me: are all RPC services runnable through port
>> 445 directly, without contacting the dynamic RPC port? Or did
>> Microsoft implement something extra just for terminal services licensing
>> that allows it to work over port 445?
>>
>> --
>> Will
>>
>>
>> "Will" <westes-usc@noemail.nospam> wrote in message
>> news:YLWdndvRBbJ0Pg7VnZ2dnUVZ_uLinZ2d@giganews.com...
>>> Reducing the RPC range still leaves a range. It is really just like
>>> having no security at all since any application that is RPC based can
>>> still run through that range.
>>>
>>> With many applications, Microsoft thoughtfully provides a registry key
>>> that lets you fix the RPC application service to a fixed port. That's
>>> very firewall friendly and works great. I was really hoping that the
>>> terminal server licensing might provide something similar (perhaps not
>>> well documented). I wish Microsoft would offer such an option on
>>> every single service it publishes by RPC, as a matter of a design
>>> requirement. It would make securing these boxes so much easier.
>>>
>>> Whether you use IPSec, or a regular firewall, the point is that any
>>> server that needs even one RPC service on the target server would need
>>> to be given access to the range of RPC ports, which really isn't
>>> security. What we do with domain controllers behind firewalls, which
>>> works great, is to fix three specific RPC services to fixed ports, and
>>> then we lock the firewall to access only RPC 135 and those three ports.
>>> No other ports are allowed. That approach is approaching secure because
>>> you can control which N number of RPC services are directly accessed by
>>> any host. If some other RPC service starts on the target host, the
>>> person who wants access can get its port number through the RPC port 135
>>> mapper, but they cannot get to the actual service through the firewall.
>>>
>>> I can debug the UUID with a sniffer, and ISA Server has a nice feature
>>> that lets you restrict RPC access to a specific UUID. But that's
>>> complex and in our experience it can sometimes break the service
>>> (apparently the implementation of this idea has some potential bugs or
>>> design limitation). It's time consuming to implement and to debug as
>>> well.
>>>
>>> --
>>> Will
>>>
>>>
>>> "Vera Noest [MVP]" <Vera.Noest@remove-this.hem.utfors.se> wrote in
>>> message news:Xns9AED6D868DE57veranoesthemutforsse@207.46.248.16...
>>>> This should help you which Q1. It's not as simple as a registry
>>>> key, though.
>>>>
>>>> How to configure RPC to use certain ports and how to help secure
>>>> those ports by using IPsec
>>>> http://support.microsoft.com/kb/908472/en-us
>>>>
>>>> _________________________________________________________
>>>> Vera Noest
>>>> MCSE, CCEA, Microsoft MVP - Terminal Server
>>>> TS troubleshooting: http://ts.veranoest.net
>>>> *----------- Please reply in newsgroup -------------*
>>>>
>>>> "Will" <westes-usc@noemail.nospam> wrote on 01 aug 2008:
>>>>
>>>>> According to Microsoft documentation, Terminal Server Licensing
>>>>> servers use RPC port 135 and a dynamic port over 1024.
>>>>> Regarding the dynamic port, can someone tell me:
>>>>>
>>>>> 1) Is there a registry option we can use to place the dynamic
>>>>> port on a specific fixed TCP port? If yes, what are the
>>>>> details of that?
>>>>>
>>>>> 2) Is anyone here technical enough with the terminal server
>>>>> licensing protocol that they can tell me the UUID of the
>>>>> requested service associated with the dynamic port?
>>
>>
>
>
 
You must log in or register to reply here.

Similar threads

B
  • Article
Announcing Windows 11 Insider Preview Build 25992 (Canary Channel)
Replies
0
Views
77
Brandon LeBlanc
B
B
  • Article
Announcing Windows 11 Insider Preview Build 22621.1537 and 22624.1537
Replies
0
Views
218
Brandon LeBlanc
B
B
  • Article
Announcing Windows 11 Insider Preview Build 25136
Replies
0
Views
272
Brandon LeBlanc
B
B
  • Article
Announcing Windows 11 Insider Preview Build 25977 (Canary Channel)
Replies
0
Views
77
Brandon LeBlanc
B
L
  • Article
Case Study: How many colors are too many colors for Windows Terminal?
Replies
0
Views
333
lhecker
L
Back
Top Bottom