Securing RPC/ActiveX/DCOM

Question 1

What is RPC?

Answer 1

Remote Procedure Call, a mechanism for client-server communication since 1993.

Question 2

What are the two RPC variants?

Answer 2

DCE RPC (Windows) and ONC RPC (Sun RPC).

Question 3

Which RPC does Windows use?

Answer 3

DCE RPC.

Question 4

What is DCE RPC used for?

Answer 4

Communication in DCOM and ActiveX applications.

Question 5

What is the first RPC vulnerability?

Answer 5

Malformed Security Identifier Request, causing LSA to hang.

Question 6

What is the LsaLookupSids API issue?

Answer 6

Forwards malformed data over RPC, leading to system hang.

Question 7

What is MS99-057?

Answer 7

Bulletin for Malformed Security Identifier Request patch, December 1999.

Question 8

What does the MS99-057 vulnerability cause?

Answer 8

Windows NT 4.0 stops responding to service requests.

Question 9

What is the second RPC attack?

Answer 9

Sending garbage to port 135, causing 100% CPU usage.

Question 10

Which systems are affected by the port 135 attack?

Answer 10

Windows NT 3.51 and 4.0.

Question 11

How is the port 135 attack executed?

Answer 11

Via a Telnet client, triggering a denial of service.

Question 12

What is the third RPC vulnerability?

Answer 12

Malformed RPC requests causing service failure.

Question 13

Which servers are affected by malformed RPC requests?

Answer 13

MS Exchange Server 5.0 and SQL Server.

Question 14

What is the impact of the third RPC vulnerability?

Answer 14

System failure requiring a reboot.

Question 15

How can a firewall mitigate RPC vulnerabilities?

Answer 15

Block RPC services except for trusted users.

Question 16

What is the fourth RPC vulnerability?

Answer 16

Malformed RPC Request causing service failure (MS01-041, July 2001).

Question 17

What causes the fourth RPC vulnerability?

Answer 17

RPC server stubs not validating requests before passing to services.

Question 18

How does RPC function?

Answer 18

Client sends function calls to server via RPC runtime.

Question 19

What is LRPC?

Answer 19

Local RPC, used by some Windows applications.

Question 20

What components make up an RPC app?

Answer 20

Client code, server code, IDL file, optional ACF file.

Question 21

What is an IDL file?

Answer 21

Interface Definition Language file for RPC interfaces.

Question 22

What is an ACF file?

Answer 22

Application Configuration File, optional for RPC apps.

Question 23

Is RPC stateless?

Answer 23

Yes, it doesn’t maintain client data between calls.

Question 24

What are context handles in RPC?

Answer 24

Opaque data structures for maintaining state between client calls.

Question 25

What is a DoS threat in RPC?

Answer 25

Sending malformed data to an RPC endpoint.

Question 26

What is an information disclosure threat in RPC?

Answer 26

Unprotected data sniffed during client-server communication.

Question 27

What is a data-tampering threat in RPC?

Answer 27

Intercepting and modifying unprotected data on-the-wire.

Question 28

What is the robust MIDL switch?

Answer 28

Adds runtime checking to RPC server data marshalling.

Question 29

From which Windows version does robust MIDL work?

Answer 29

Windows 2000 and later.

Question 30

What is the [range] attribute in IDL?

Answer 30

Limits parameter values to prevent out-of-bounds errors.

Question 31

How does [range] reduce RPC risks?

Answer 31

Prevents attackers from setting invalid data sizes.

Question 32

Why require client authentication in RPC?

Answer 32

Deters attackers by requiring identity disclosure.

Question 33

What function sets client authentication?

Answer 33

RpcBindingSetAuthInfo for authentication and privacy.

Question 34

What does the RPC server check?

Answer 34

Client’s security settings to ensure they meet requirements.

Question 35

What is the performance impact of RPC authentication?

Answer 35

Approximately 10% degradation.

Question 36

What is RPCSvc?

Answer 36

A sample app in MS Platform SDK to test RPC performance.

Question 37

What is DCOM?

Answer 37

A wrapper over RPC for network-based COM communication.

Question 38

How is DCOM configured?

Answer 38

Via Dcomcnfg.exe or registry editing.

Question 39

What is Dcomcnfg.exe?

Answer 39

Tool to configure DCOM settings in Component Services.

Question 40

Where are DCOM settings stored?

Answer 40

HKLM\Software\Classes\AppId in the registry.

Question 41

What are DCOM launch permissions?

Answer 41

Define who can start a DCOM application.

Question 42

What are DCOM access permissions?

Answer 42

Control who can access DCOM objects.

Question 43

What is the safest DCOM user context?

Answer 43

Run as a specific non-privileged user.

Question 44

Why is Interactive User dangerous?

Answer 44

Vulnerable to privilege-escalation attacks.

Question 45

Why is Local System Account risky?

Answer 45

Most powerful account, dangerous if compromised.

Question 46

What is a safer DCOM impersonation level?

Answer 46

Identify, limiting privilege escalation risks.

Question 47

What are LocalService and NetworkService?

Answer 47

Low-privilege accounts for DCOM execution.

Question 48

What are ActiveX controls?

Answer 48

Executable programs, often COM-based, used in apps or browsers.

Question 49

What does code signing ensure for ActiveX?

Answer 49

Verifies author identity and code integrity.

Question 50

Why are ActiveX controls risky?

Answer 50

Vulnerabilities can be exploited, even in legitimate controls.

Question 51

What exacerbates ActiveX vulnerabilities?

Answer 51

Lack of user warnings when invoked by HTML or email.

Question 52

Why aren’t ActiveX controls inherently hostile?

Answer 52

Hackers repurpose legitimate controls via vulnerabilities.

Question 53

What is safe initialization in ActiveX?

Answer 53

Ensuring controls don’t execute unsafe actions on startup.

Question 54

What is safe scripting in ActiveX?

Answer 54

Preventing scripts from triggering dangerous control functions.

Question 55

How to determine ActiveX safety?

Answer 55

Check if it accesses, discloses, modifies, or crashes systems.

Question 56

What is an unsafe ActiveX function?

Answer 56

Accessing local files, registry, or private data.

Question 57

Why not mark ActiveX as safe by default?

Answer 57

Prevents enabling potentially unsafe functionality.

Question 58

What is the benefit of non-privileged DCOM users?

Answer 58

Reduces hacker interest in compromising the account.

Question 59

Why block RPC services in firewalls?

Answer 59

Limits exposure to untrusted internet users.

Question 60

What is the role of RPC server stubs?

Answer 60

Validate and pass client requests to services.