ZOMG VIRUS

[sobrique]

We've just had an edict that a particular server we've got is generating a lot of network traffic, and therefore it's been firewalled and we've got to scan it for the latest virus that's doing the rounds.

Unfortuately, it's one of our domain controllers. So, really not all that suprising that got a lot of traffic on 'windows RPC' ports, to lots and lots of hosts.

Sometimes I despair.

And then I remember that I'm just a humble Unix admin, and therefore it's officially NMFP. (*smug mode*)

Comments

[warmage.livejournal.com]

RPC ports with traffic.
/rolleye...

The mere fact that the ports were available is damning enough. I have worked in one place where I would have lost my job for letting that slip by me.

I can just hear the excuses now: "Oh we have to have the RPC ports open, because, um, er...(wait what is RPC for again?...oh, right!) So that SOAP can run, it uses RPC calls! (doesn't it?)"

Yeah... Mr. '44 needs to have a chat with you, sonny. Check into the small brick closet in the basement and he'll be with you shortly.

[spodula.livejournal.com]

You do realise that you cant actually do anything useful with active directory (Such as replication, adding a machine to a domain) unless RPC is available dont you?

Of course it can be argued that you cant do much useful with active directory anyway, but I'm not really qualified to judge that.

[warmage.livejournal.com]

Yes, I do realize that but IMHO, RPC need not be bound to the same network device as a webserver or practically any other outward-facing process. I'm a big fan of multi-home on any bastion server.

[warmage.livejournal.com]

Crap, I found the error in my thinking. For some reason I read "domain controller" and my mind heard "webserver."

You're right. Can't do jack on the inside without RPC, rendering my original comment null and void. How embarrassing!!

So that changes the complexion of the issue quite a bit and makes me wonder just how the hell a virus makes it's way to the domain controller without visiting a desktop (and thereby *multiple* desktops) before getting into the DC.

Good catch. Sorry for the improperly focused smarm.

[(Anonymous)]

Good point, however the point about MCSE training applies here.
Most of them dont seem to have a clue about things like selective filtering, Differing IP ranges for differing cards, or my personal favorate, redundant network cards.

However its fair to say, I dont much about these things under Windows either, other than the fact that i assume they can be done, and its probably not beyond the Wit of a normal person to figure it out with the Internet. (EG, I was under the impression forward facing RPC was essential for a DNS controller under AD, however if you say you can get away without it, i will accept that. I know its not nessesary under a real operating system :P )

[warmage.livejournal.com]

Correct, AD does make copious use of the RPC protocol, particularly at a Domain Controller (even though this technically is an Active Directory Provider - the term "Domain Controller" is not used). You are also correct that it can be filtered to prevent tunneling from servers it does not know, both by datagram and by IP.

IANAMCSE, but the ability to filter thusly has been around for several years in Windows - obviously it is typically a function of network design such that this type of traffic is secured with segmentation, subnet masking, and the other techniques as necessary (and is probably typical on a properly built *NIX network, eh?)