Windows Management Instrumentation (WMI)
WMI is one of the common way used to monitor and discover Windows System. In many customers control environment, we always face with connectivity issue like target is not responsive even though the requested listening port is make available at the firewall.
We first need to understand how WMI handles the communications between 2 parties or systems. WMI uses Remote Procedure Call (RPC) service that listening on port 135. In response to a RPC request, RPC dynamic port allocation will instruct the RPC program to use a particular random port above 1024. This explains why in some of the customer cases, even though port 135 is opened but yet the monitoring or discovery tool is still NOT able to collect any data. Customer may have firewall policies that restrict not only incoming connections but also outgoing connections.
Some customers or their security team may ask for a range of outgoing ports requirement. The dynamic port allocation can be configured at the target system so that security team can discretely allow only those ports.
With Registry Editor, RPC parameters can be modified. RPC Port key values are located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\Key Data Type
Specifies a set of IP port ranges consisting of either all the ports available from the internet or all the ports not available from the internet. Each string represents a single port or an inclusive set of ports
For example, a single port may be represented by 5984, and a set of ports may be represented by 5000-5100. If any entry is outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid
PortsInternetAvailable REG_SZ Y or N (not case-sensitive)
If Y, the ports listed in the Ports key are all the internet-available ports on that computer.
If N, the ports listed in the Ports key are all those ports that are not Internet-available
UnseInternetPorts REG_SZ Y or N (not case-sensitive)
Specifies the system default policy
If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously
If N, the processes using the default will be assigned ports from the set of intranet-only ports
Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
Under the Internet key, add the values “Ports” (MULTI_SZ), “PortsInternetAvailable” (REG_SZ) and “UseInternetPorts” (REG_SZ)
For example, the new registry key appears as follows:
Ports: REG_MULTI_SZ: 5000-5100
PortInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 5100 inclusive. In most environments, a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
Should open a range of ports above port 5000 because ports below 5000 may already be in use by other applications and could cause conflicts with your DCOM applications. A minimum of 100 ports should be opened, because several system services rely on those RPC ports to communicate with each other.
Note: The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port usage
Note: For big scale monitoring and discovery deployment, it is not practical to configure all the target systems with the changes apply to Registry. If security team could not comprise to the WMI prerequisite, I strongly suggest that you look at other alternatives like using NetBIOS