Share via

3.1.1.1.3 Authorization Policy

  • Article

This extension introduces authorization policies that an administrator on the server machine can deploy that restrict access to all RPC interfaces on the server.

RestrictRemoteClients: A 32-bit value that forces RPC to perform an additional security checks for all interfaces. The scope of this ADM element is global to the RPC server.<59>The possible values are the following:

Flag

Value

Description

RPC_RESTRICT_REMOTE_CLIENT_NONE

0

Causes the server to bypass the RPC interface restriction.

RPC_RESTRICT_REMOTE_CLIENT_DEFAULT

1

All remote anonymous calls are rejected by the RPC runtime except calls coming in through named pipes (ncacn_np). If an interface is registered with the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, then the interface is not restricted.

RPC_RESTRICT_REMOTE_CLIENT_HIGH

2

All remote anonymous calls are rejected by the RPC runtime with no exemptions.

EnableAuthEpResolution: A Boolean value global to the RPC client runtime that enables authenticated calls to the Endpoint Mapper. If the server's RestrictRemoteClients value is set to RPC_RESTRICT_REMOTE_CLIENT_DEFAULT or RPC_RESTRICT_REMOTE_CLIENT_HIGH, the RPC Endpoint Mapper interface MUST not be accessible anonymously. Typically, an RPC client that attempts to make a call using a dynamic endpoint will first query the RPC Endpoint Mapper on the server to determine what endpoint it SHOULD connect to. This query is performed anonymously, even if the RPC client call itself is performed using RPC security. The RPC client runtime SHOULD be configurable to perform an authenticated query to the Endpoint Mapper. This authenticated query MUST only be performed if the actual RPC client call uses RPC authentication.<60>

There is no way for a client to discover if the EndPoint Mapper requires authenticated calls. As described in [C706] section 2.12.4, a client can explicitly resolve a partially bound server binding handle by calling the equivalent of rpc_ep_resolve_binding. A partially bound server binding handle will also be automatically resolved by the RPC runtime when doing an RPC call using a partially bound server binding handle. In both cases, there is no way for a client to force an authenticated query to the end point mapper. The query to the end point mapper will use the partially bound server binding handle security information to interact with the EndPoint Mapper. As a consequence, if the client is not doing a secure call to the server, it won't be able to interact with an EndPoint mapper if the EnableAuthEpResolution flag is set.

RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH: A Boolean value maintained in the scope of an RPC interface that overrides the behavior of RestrictRemoteClients when it is set to RPC_RESTRICT_REMOTE_CLIENT_DEFAULT, and allows the interface to process unauthenticated calls.<61>

When processing a receive Server Call, an implementation of this protocol must perform one of the following actions depending on the value of the RestrictRemoteClients ADM element:

  • 0 : Perform no additional checks and consider this check as successful.

  • 1 :  Examine the Server Call ADM element to determine if there is a Security Context ADM element associated with this call. If a Security Context exists, then this check is considered as successful. If there is no Security Context, then examine the RPC Interface ADM element for this Call to determine if the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag is set. If this flag is set, then consider this check as successful. If this flag is not set, then examine the Server Connection ADM element to determine if the transport protocol is ncanc_np. If this transport protocol is ncacn_np, then this check is considered as successful; otherwise, consider this check as failed

  • 2 :  Examine the Server Call ADM element to determine if there is a Security Context ADM element associated with this call. If a Security Context exists, then this check is considered as successful; otherwise, consider this check as failed.

The RestrictRemoteClients ADM element has no default value and implementations of this protocol MUST determine the value through an implementation manner.<62> A higher-layer protocol MAY provide additional authorization checks that are enforced on the Server Call. If any of the checks fail, then an implementation of this protocol MUST respond to the client with a RPC_FAULT PDU and terminate the connection.