4

After adding the Remote Desktop Session Host roll to a server the following firewall rules get created and are enabled by default.

Name                                 Group                Profile    Enabled    Action    Override    Program                              Local Address    Remote Address    Protocol    Local Port             Remote Port   Allowed Users    Allowed Computers    
Terminal Services - WMI (DCOM-In)    Terminal Services    All        Yes        Allow     No          %systemroot%\system32\svchost.exe    Any              Any               TCP         135                    Any           Any              Any    
Terminal Services - WMI (TCP-In)     Terminal Services    All        Yes        Allow     No          %systemroot%\system32\svchost.exe    Any              Any               TCP         RPC Dynamic Ports      Any           Any              Any    
Terminal Services (NP-In)            Terminal Services    All        Yes        Allow     No          System                               Any              Any               TCP         445                    Any           Any              Any    
Terminal Services (RPC)              Terminal Services    All        Yes        Allow     No          %systemroot%\system32\svchost.exe    Any              Any               TCP         RPC Dynamic Ports      Any           Any              Any    
Terminal Services (RPC-EPMAP)        Terminal Services    All        Yes        Allow     No          %systemroot%\system32\svchost.exe    Any              Any               TCP         RPC Endpoint Mapper    Any           Any              Any

What is Terminal Services doing that it requires WMI, RPC, and NetBIOS to be enabled?

Scott Chamberlain
  • 1,455
  • 2
  • 21
  • 37
  • Back door for Microsoft and the FBI, clearly. With port 445 open, all your file shares are accessible from the Internet. Just more "License server" garbage. Even a zero-day vulnerability in June 2012: http://randomoracle.wordpress.com/2012/06/05/economics-and-incentives-terminal-services-licensing-vulnerability/ "Confronted with the risk of getting the enterprise 0wned, the prudent CSO would opt for paying more for software upfront, instead of worrying about one more useless component that creates additional opportunties for attack without any redeeming value– if they had the choice." – Triynko Sep 24 '12 at 21:54

1 Answers1

1

Based on a cursory Google search, it looks like it's related to communication with a RDS License server and for remote management of the RDS role.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Can you link to the pages that told you that? – Scott Chamberlain Jun 06 '12 at 19:24
  • Following are the Google search results. I only took a cursory glance and didn't do any exhaustive research or testing, so it probably needs further research: https://www.google.com/#hl=en&sclient=psy-ab&q=remote+desktop+services+firewall+ports&oq=remote+desktop+services+firewall+ports&aq=f&aqi=g1g-mK2g-bK1&aql=&gs_l=hp.3..0j0i5i30l2j0i8i30.1022.10172.0.10573.38.25.0.13.13.0.363.4725.11j2j6j6.25.0...0.0.N06c67PFOC4&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&fp=5652d56970376984&biw=1920&bih=911 – joeqwerty Jun 06 '12 at 20:09
  • So why are *inbound* ports enabled when you install the *session host* roll. I could understand installing it if you install the license server, but not session host. – Scott Chamberlain Jun 06 '12 at 20:16
  • I'm not sure but it probably warrants additional investigation. Maybe I should have posted a comment rather than an answer since my answer is really more akin to "It might be this" rather than "This is it". – joeqwerty Jun 06 '12 at 20:18
  • I just discovered this today. I'm not happy that port 445 (file sharing) is left wide open to the internet by that terminal services firewall exception. I'm about to disable all exceptions whose name starts with "Terminal Services", because frankly the only port related to it that I expected to be open was the default remote desktop port, which I don't even use the default port (why would they ever recommend using the default port?). It looks to me like some kind of intentional "back door" access. I'm >< that close to ditching Windows Server because of this. – Triynko Sep 24 '12 at 21:47
  • Not to mention, it sidesteps all that bull in Network and Sharing Center. It's like... you disable every option under "Sharing and Discovery", including File Sharing and Password Protected Sharing... and SURPRISE!!! all your stuff is still shared and accessible because of those Terminal Services firewall exceptions. Mindblowingly unacceptable. – Triynko Sep 24 '12 at 21:50