In many cases, it may not be obvious what specific interfaces a particular application uses to connect to another server. This is particularly true with RPC UUIDs, which are not always published in documentation or on the Internet. In cases where custom protocol definitions need to be made for securing the service, but the UUIDs are unknown, using a network packet capture tool is a useful approach for identifying which types of interfaces to allow.
Windows Server 2003 includes a free Network Monitor tool that can be installed on any server to monitor the packets that are sent directly to that particular server. It can be installed on a destination server, for example, to identify which RPC interfaces a particular application is using, for example.
Installing Network Monitor
The first step to inspecting the RPC packets and creating a custom rule based on the UUIDs of a service is to install the Network Monitor on the server. For the procedure to install Network Monitor on a Windows Server 2003 system, perform the following steps:
It might be useful to install Network Monitor on an ISA server to assist in troubleshooting problems and monitoring traffic sent to it. It can also be used to determine which types of RPC traffic are hitting ISA's network interfaces, which can be useful for the type of scenario being described as well.
Using Network Monitor to Scan Traffic for RPC UUIDs
After it has been installed, Network Monitor can be used to take snapshots of the packets that hit the network interfaces that are installed on the server. Looking through these packets can help to identify critical pieces of information, such as which UUIDs are being called for. To start the process, start Network Monitor and capture some data through the following process:
During the data capture, the application that is to be tested for UUID transmittal must be run against the server in question. Also, systems with multiple network cards need to choose which network to scan.
After the capture is complete, look through the packet Description for ones that start with c/o RPC Bind: UUID, similar to what is shown in Figure 15.10. Look for each of the UUIDs that were requested by the server, and take note of them for use in the custom RPC protocol definition.
Figure 15.10. Looking for RPC UUIDs in Network Monitor traffic.
Because the UUID needs to be entered without typos, it may be wise to cut and paste the results of Network Monitor into Notepad, so that it can be used later in the creation of the RPC protocol definition.
Using Network Monitor is an excellent way to ascertain what type of traffic an application uses. This information can then be easily translated into a custom filter rule in ISA, further securing the traffic sent between networks protected by ISA servers.