Don't run rexd, rusersd, or rwalld RPC services, because they are of minimal use and provide attackers with both useful information and direct access to your hosts.
In high-security environments, don't offer any RPC services to the public Internet. Due to the complexity of these services, it is highly likely that zero-day exploit scripts will be available to attackers before patch information is released.
To minimize the risk of internal or trusted attacks against necessary RPC services (such as NFS components, including statd, lockd, and mountd), install the latest vendor security patches.
Aggressively filter egress traffic, where possible, to ensure that even if an attack against an RPC service is successful, a connect-back shell can't be spawned to the attacker.
