3 Replies Latest reply on May 23, 2017 5:59 PM by Bryan Owen

    RPC Client

    vint.maggs@srs.gov

      Hello All,  

      I am evaluating the Center for Internet Security Microsoft Windows Server 2012 R2 Benchmark (version 2.2.0) for a Level 2 member server. Level 2 server settings are designed for a more secure environment. There are 51 L2 setting specified in this document, however there is only one setting that gives me pause: 18.8.31.2, Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled'.

       

      Has this setting been evaluated for impacts? What clients, applications, services, processes, etc use RPC and are they authenticated or anonymous?

       

      My current environment is W2K12R2 with PI Data Archive 2016 R2 and Coresight.

       

      Thanks,

      Vint

        • Re: RPC Client
          tmcmanus

          Hi Vint,

           

          Great question - thanks for bringing this to our attention. I've looped in our Security Team (Security ) to help out with your question to ensure we can give you a qualified answer.

           

          An initial smoke test by Harry Paul revealed no issues in terms of PI communication, specifically regarding Coresight to the PI Data Archive, but our team is discussing the matter, and hopefully will be able to post back in here shortly with a more thorough response.

            • Re: RPC Client
              vint.maggs@srs.gov

              Thank you for your attention. I am not too concerned with Coresight and the Data Archive but more so with PI SMT, PI System Explorer, the PI Interface for GSE D/3 DBA, and Excel, to name a few off the top of my head.

               

              These are tools we use daily to manage our environment.

               

              Thanks,

              Vint

                • Re: RPC Client
                  Bryan Owen

                  A recent security assessment of the PI System used the Member Server Baseline for 2012R2 in accordance with Microsoft Security Compliance Manager.

                  SCM typically tracks closely with CIS and STIG but, 'Restrict Unauthenticated RPC clients' was dropped from the SCM baselines after 2008SP2 (btw, the setting was not enabled in the 2008R2 baseline). As a result this policy setting has not been explicitly tested recently or ever that I know of.

                   

                  I have yet to find the archeology on why the setting was dropped from the baseline.  Given restricting anonymous RPC has a checkered past in the 2008 era, this post seems like as good place as any to seek confirmation from the community. 

                  Restrictions for Unauthenticated RPC Clients: The group policy that punches your domain in the face | Ask the Directory …

                   

                  Finally, although there is a time and place for 'anonymous' access, the PI System is designed to support authenticated access based on Windows integrated security. For interfaces, that means planning rollout of PI API 2016 for Windows Integrated Security.