RPC Endpoint Mapper
This policy setting determines if RPC clients authenticate with the Endpoint Mapper Service when their call includes authentication data. The Endpoint Mapper Service on Windows NT4 (all service packs) is unable to process authentication data provided in this manner.
Disabling this policy means RPC clients won’t authenticate with the Endpoint Mapper Service, but they can still communicate with it on Windows NT4 Server.
The recommended state for this setting is: Enabled.
Enable RPC authentication
To modify these policies using the Group Policy Object (GPO) editor:
- Click Start> type msc > hit Enter to open the Local Group Policy Editor.
- To enable the equivalent of EnableAuthEpResolution settings, navigate to Computer Configuration\Administrative Templates\System\Remote Procedure Call\Enable RPC Endpoint Mapper Client Authentication, then select one of the two available settings:
- Disabled– This setting is the default. RPC clients won’t authenticate to the Endpoint Mapper Service, but they’ll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
- Enabled– PC clients authenticate via the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won’t be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
Changes to either setting require a system reboot for them to take effect.
Important Note *
The following Group Policy settings found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options cannot be used with EnableAuthEpResolution:
- Network security: Restrict NTLM: Incoming NTLM traffic - “Deny All Accounts”
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - “Deny All”
It’s encouraged to move away from NTLM to better secure your environment. If faced with a choice between restricting NTLM and using EnableAuthEpResolution, the recommended approach is that you restrict NTLM in your environment.
Enable RPC Endpoint Mapper Client Authentication via GPO
This policy setting will not be applied until the system is rebooted.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\Windows NT\Rpc |
| Value Name | EnableAuthEpResolution |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
Vulnerabilities
Vulnerabilities in the RPC Endpoint Mapper service can have severe consequences, as they can potentially allow remote attackers to execute arbitrary code or escalate privileges on the target system.
The EternalBlue exploit, notably used in the WannaCry ransomware attack of 2017, targeted a vulnerability (CVE-2017-0143) in the Server Message Block (SMB) protocol on Windows systems. This vulnerability enabled attackers to execute remote code with SYSTEM privileges by exploiting improper handling of requests by the RPC Endpoint Mapper service.
CVE-2022-37958 While EternalBlue exploits a vulnerability solely within Microsoft's implementation of the Server Message Block (SMB) protocol, this vulnerability spans a much broader range of protocols. This code-execution vulnerability enables attackers to trigger the flaw through any Windows application protocol that requires authentication. This includes attempts to connect to an SMB share or through Remote Desktop.
Ensure ‘Enable RPC Endpoint Mapper Client Authentication’ is set to ‘Enabled’
This policy determines RPC client authentication with the Endpoint Mapper Service. Applying it to NT4 systems can cause issues, particularly with 1-way forest trusts
The impact of enabling the policy setting is that RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
The solution is to establish the recommended configuration via GP, set the following UI path to Enabled:
| Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Enable RPC Endpoint Mapper Client Authentication |
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Enhancing Security with Automated Hardening
Implementing automated hardening measures for the RPC Endpoint Mapper Client Authentication mechanism can significantly bolster the overall security posture of Windows systems. By automating the process of applying recommended security configurations, organizations can ensure consistent and timely mitigation of known vulnerabilities related to this critical component.
Automated hardening eliminates the potential for human error during manual configuration and guarantees that all systems within the environment adhere to the latest security best practices. Additionally, it streamlines the process of keeping systems up-to-date with the latest security updates, reducing the window of exposure to potential threats.
By embracing automated hardening strategies, organizations can proactively protect their Windows infrastructure from exploitation attempts targeting RPC Endpoint Mapper Client Authentication vulnerabilities, minimizing the risk of remote code execution, privilege escalation, and other malicious activities.
