What is msrpc needed for on a Windows 7 workstation

windows tcp rpc port-scanning

I just ran an nmap scan against our network, and many Windows 7 machines have several high ports listening with Microsoft Windows RPC. Example:

Port   Serv  Process name
49152, msrpc [wininit.exe]
49153, msrpc [svchost.exe, Eventlog]
49154, msrpc [svchost.exe, Schedule]
49155, msrpc [lsass.exe]
49157, msrpc [services.exe]
49159, msrpc [svchost.exe, PolicyAgent]

For security reasons, I would like to close any listening service that is not needed, or at least block the ports in question using the Windows FW.

I realize that the processes above are system processes that I cannot close, but perhaps there is some configuration that can be done to prevent them from listening?

Lastly, not sure if relevant, but we do not use any domains or Active Directory - only a workgroups against a Samba server.

So, my questions are:

  1. What are the listening services needed for in general?
  2. In my scenario, can I disable them somehow (=make them not listen)?
  3. If #2 is not doable, can I safely block them with the FW?

Thanks.


  • Port 49152 provides the ability to shut the computer down remotely via the shutdown.exe tool. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRemoteShutdownRPCInterface=1
  • Port 49153 allows remote viewing of the Event Log. I don't know how to disable it yet.
  • Port 49154 allows remote viewing and administration of Scheduled Tasks. It can be disabled by writing registry DWord HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\DisableRpcOverTcp=1
  • Port 49155: I'm not sure what it does or how to disable it.
  • Port 49157 allows remote viewing and administration of Local Services. It can be disabled by writing registry DWord HKLM\System\CurrentControlSet\Control\DisableRPCOverTCP=1
  • Port 49159: I have not seen this one on end user computers.

You can disable all the RPC ports by following these steps:

  1. Make sure you have disabled all the disableable RPCs listed above.
  2. Delete HKLM\Software\Microsoft\Rpc\Internet
  3. Write HKLM\Software\Microsoft\Rpc\Internet\UseInternetPorts="N"

Unfortunately, completely disabling the RPC ports breaks the Print Spooler in Windows 8 and later. To re-enable, just repeat step 2 above.


A variety of Windows services listen on dynamic RPC ports, like you found out. These usually correspond to services in the Services list. However, some of them are services you really don't want to turn off. When that happens, you need to use the build in Windows firewall to prevent access. They're still listening, but nothing can get at them, which allows them to pass network audits.

The MS Dynamic RPC range did change as of Vista, to 49152-65535. You can even adjust the range if you need to:

netsh int ipv4 set dynamic tcp start=49152 number=50  # yields a range of 49152-49202

Related

Do you need a GC online to DCPromo?
Microsoft Exchange Add-in is causing 'form region could not be opened'
Upgrade issue from Debian Server Squeeze 6 to Wheezy 7 - still on kernel 2.6
chown with numeric arguments
Active directory rename - root to sub domain
Setup NTP on Debian
How to install SOAP extension on PHP-FPM 5.5.6 - dependency issue
Can't seem to run Apache 2.2 on Ubuntu 10.10 (Maverick Meerkat)
Radeon HD 3670 on Dell XPS16 laptop. Are 3 monitors possible?
Outdoor WiFi mesh topology vs. repeaters
How can I install gcj on Linux?
Unsupported Firefox addon