This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 51%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Introduction
The main goal is to secure existent windows 10 clients. As there a few hardening recommendations from for example CIS and Microsoft concerning secure OS configuration i discovered a potential misleading dependency regarding NTLM and RPC.
How it happened
On windows 10 clients in the computermanagement (local admin group) the therein contained domain-members were only shown with their SID. Long story short, the actual name of the ADuser was not displayed anymore.
Solution
In the end it turned out that the following configuration based on a hardening configuration of CIS was the root cause:
"18.8.37.1 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)"
More information here
Basically there should not be a problem when enabling the RPC Endpoint Mapper Client Authentication.
But if you configured
"Restrict NTLM: Outgoing NTLM traffic to remote servers"
More information here
then the enabled RPC Endpoint Mapper Client Authentication will not work anymore because it does rely on NTLM.
Conclusion
A risk assessment must now be carried out here.
Even Microsoft says that "It's encouraged to move away from NTLM to better secure your environment. If faced with a choice between restricting NTLM and using EnableAuthEpResolution, the recommended approach is that you restrict NTLM in your environment."
More information here
--> To sum up, even CIS recommends to enable the RPC Endpoint Mapper Client Authentication, but they do not make any statement in their benchmarks with regard to the denying of outgoing NTLM traffic to remote servers.
Question
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 37%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
We are finally coming to the same conclusion. To protect the RPC ports we have implemented, for several years, IPSEC in the windows firewall to require it on TCP 135 incoming. We will soon be requiring it on the dynamic ports which will also be limited to a known range of 150 ports. This protects those ports from Nessus scans (if you don't put the Nessus scanner's IP in a full allow rule). This way we can still protect RPC by having IPSEC authentication and blocking all outbound NTLM. NTLM is still allowed inbound for our RDP gateway until we get our remote clients to use the built-in KDC proxy on the gateway.
We are going down the road of blocking NTLM. RPC can be protected via IPSEC so you don't have to choose one or the other. The only issue is that the CIS rule will be an exception that you'll have to explain to your auditors why you chose not to implement RPC authentication.