October 2 2013

Limiting RPC dynamic port allocation range

From time to time, you will need limit (or ‘lock-down’) the number of ports that are used for RPC – this might be to allow traffic through firewalls or for other reasons. In Windows Server 2008/Vista and later versions the default dynamic port range is 49152-65535. For Windows 2000, Windows XP and Windows Server 2003 the default range is 1025-5000.

There is a Microsoft article – http://support.microsoft.com/kb/154596 – this outlines how to do this with some registry value changes, for example if I wanted to limit ports to between 8000-9000, then the following adjustments would be made, followed by a restart:

reg add HKLMSOFTWAREMicrosoftRpcInternet /v Ports /t REG_MULTI_SZ /f /d 8000-9000
reg add HKLMSOFTWAREMicrosoftRpcInternet /v PortsInternetAvailable /t REG_SZ /f /d Y
reg add HKLMSOFTWAREMicrosoftRpcInternet /v UseInternetPorts /t REG_SZ /f /d Y

After testing this on a Windows 2008 R2 Server and looking at Network Monitor traces, I found that the source port was still in the 49152-65535 range. After reading http://support.microsoft.com/kb/929851, I ran the following commands on both source and target servers, then restarted:

netsh int ipv4 set dynamicport tcp start=8000 num=1001
netsh int ipv4 set dynamicport udp start=8000 num=1001
netsh int ipv6 set dynamicport tcp start=8000 num=1001
netsh int ipv6 set dynamicport udp start=8000 num=1001

After looking at Network Monitor traces after making these final changes, I could then see that the RPC dynamic port allocation range (both source and destination ports) was locked down to the specified ports.

 

 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

Tags: , , , , ,

Posted October 2, 2013 by danovich in category Windows

2 thoughts on “Limiting RPC dynamic port allocation range

  1. Laurent Zerirgui

    Hi,

    Many thanks for you post.
    However, your commands are not correct. there is an “Internet” that should not be there and there are no backslashes.

    The commands should be :

    reg add HKLM\SOFTWARE\Microsoft\Rpc /v Ports /t REG_MULTI_SZ /f /d 60000-60100
    reg add HKLM\SOFTWARE\Microsoft\Rpc /v PortsInternetAvailable /t REG_SZ /f /d Y
    reg add HKLM\SOFTWARE\Microsoft\Rpc /v UseInternetPorts /t REG_SZ /f /d Y

    Cheers,
    Laurent Zerirgui

    Reply

Leave a Reply