RECOMMENDED: Click here to fix Windows errors and optimize system performance
Dynamic port assignment for remote procedure call (RPC) is used by remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, etc. The dynamic assignment of RPC ports tells the RPC program to use a particular random sport above 1024.
Customers who use firewalls can control the ports used by RPC so that their firewall router can be configured to forward only TCP (Transmission Control Protocol) ports.
Many server and remote management applications use dynamic assignment of remote procedure call ports. Although dynamic, it is important that they follow a scope rule, as clients or client machines can ensure that the firewall does not block these ports or areas. When selecting a range for the dynamic RPC port, make sure that Windows and major Microsoft products do not use these ports.
Add a rule to allow traffic to dynamic RPC ports.
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security – LDAP > Incoming Rules.
- Right-click and select New Rule.
- Select Custom and click on Next.
- Select All Programs and click on Next.
- Select TCP as the protocol type.
- Select Dynamic RPC Ports as the local port and click Next.
- Specify the IP address of the scanning node in the list of remote IP addresses or select an IP address and click Next.
- Select Allow connection and click on Next.
- Check the boxes that correspond to the machine’s connection conditions and click Next.
- Specify Radar RPC Dynamic Ports as the name and click Finish.
Use of the Registry
Type regedit at the Run prompt and press Enter. The registry editor opens. Now navigate to:
- Right-click on RPC and create a new Internet key, followed by the specified data types:
- Name: Ports | Type : Multiple string value (REG_MULTI_SZ)
- Name: InternetPortsAvailable | Type : String of characters (REG_SZ)
- Name : UseInternetPorts | Type : String of characters (REG_SZ)
I think the best way to validate the changes is to use a sniffer to record traffic and use remote WMI (which uses RPC) via PowerShell:
Prepare a test machine and a second one and make sure that the second machine can access the test machine in the configured ports and 135 (the RPC port mapper).
Install Network Monitor (or another sniffer) on one of the computers and record RPC traffic.
Run the following PowerShell command from the second machine:
gwmi win32_operatingsystem -comp TEST
Make sure that the call is successful (no errors) and that the recorded traffic is within the port range we have previously configured.
RECOMMENDED: Click here to troubleshoot Windows errors and optimize system performance