The Risks of DCE/RPC Service Enumeration

The Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) protocol was established as a method to allow distributed software to be run as if it was all working on the same system. One of the functions of DCE/RPC is service enumeration, or the ability of a client system to get information about all the services running on a server. As with most useful network tools, this ability to enumerate services on a server can provide tons of information about a server and its services to an attacker if proper restrictions are not put in place.

The biggest risk of allowing DCE/RPC is information leakage. An attacker querying systems using DCE/RPC can gain vital information about the services running on the servers. This can provide the attacker with knowledge of potentially vulnerable services that can be exploited in a variety of ways. This trove of information greatly increases the attack surface of the network. In addition, since DCE/RPC is considered normal network communications, attackers using it to query systems may not be readily identified by network monitoring and protection systems.

To mitigate these risks, network administrators should consider if DCE/RPC is absolutely necessary in the environment. If not, disabling it and blocking all associated ports with firewalls and ACLs is the best defense. If it is necessary, DCE/RPC should only be allowed between internal systems using the service. Incoming DCE/RPC queries from the Internet should be blocked entirely at the perimeter firewall with no exceptions. Further, ACLs should be put in place to ensure only the specific systems that need to query servers are allowed to. This limits the systems that can use the protocol to perform service enumeration and greatly reduces the ability of a threat actor on the network to gain information using DCE/RPC.