Limiting RPC dynamic port allocation range
From time to time, you will need limit (or ‘lock-down’) the number of ports that are used for RPC – this might be to allow traffic through firewalls or for other reasons. In Windows Server 2008/Vista and later versions the default dynamic port range is 49152-65535. For Windows 2000, Windows XP and Windows Server 2003 the default range is 1025-5000.
There is a Microsoft article – http://support.microsoft.com/kb/154596 – this outlines how to do this with some registry value changes, for example if I wanted to limit ports to between 8000-9000, then the following adjustments would be made, followed by a restart:
reg add HKLMSOFTWAREMicrosoftRpcInternet /v Ports /t REG_MULTI_SZ /f /d 8000-9000
reg add HKLMSOFTWAREMicrosoftRpcInternet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLMSOFTWAREMicrosoftRpcInternet /v UseInternetPorts /t REG_SZ /f /d Y
After testing this on a Windows 2008 R2 Server and looking at Network Monitor traces, I found that the source port was still in the 49152-65535 range. After reading http://support.microsoft.com/kb/929851, I ran the following commands on both source and target servers, then restarted:
netsh int ipv4 set dynamicport tcp start=8000 num=1001
netsh int ipv4 set dynamicport udp start=8000 num=1001
netsh int ipv6 set dynamicport tcp start=8000 num=1001
netsh int ipv6 set dynamicport udp start=8000 num=1001
After looking at Network Monitor traces after making these final changes, I could then see that the RPC dynamic port allocation range (both source and destination ports) was locked down to the specified ports.
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.