Remember our DNS security issue from yesterday? One clarification that I need to make is that while port 4125 is “open” in that range from 1000-5000 it’s not “listening”. Port 4125 has to be open in your routers, but on the server, it’s not really open, and doesn’t do it’s validation/hand off process until after you log onto the Remote Web Workplace portal. So you need to be authenticated on the system and only after that time does the port start to listen and process RPC processes.
Dr. J blogs about if you want to do it on a bunch of machines, but on single ones, it’s a quick reg edit.
On the start menu click ‘Run’ and then type ‘Regedit’ and then press enter.
Navigate to the following registry location:
On the ‘Edit’ menu select ‘New’ and then click ‘DWORD Value’
Where ‘New Value #1’ is highlighted type ‘RpcProtocol’ for the name of the value and then press enter.
Double click on the newly created value and change the value’s data to ‘4’ (without the quotes).
Restart the DNS service for the change to take effect.
Obviously stop it and restart it is enough.
Am I seeing a lot of chatter about this one? Not a lot yet. SANS had the initial report and it looks like it’s in “targeted attack” not wormy thing….yet… Do I feel that the way RPC or Remote Procedure Calls enter our network so that more often than not they are from authenticate connections means that like Slammer and Blaster, a risk of this one is less? Do I not see this up on Metasploit at this time so that what I’m doing now is testing this out on a single machine to see the impact? Yes that is what I’m doing. We’re in “test mitigation” and respond accordingly mode right now.
I’m not ready to recommend shooting this out just yet until I make sure all is well. I’m letting it “cook” a bit on this Domain controller to ensure there are no “gotchas”.