netsh rpc is a command-line tool that you can use to create remote procedure call (RPC) Firewall Filters and the rules and conditions that are associated with the filters.
You can run the Netsh RPC commands from the command prompt for the netsh rpc context. For these commands to work at the Windows Server 2008 command prompt, you must type netsh rpc before typing commands and parameters as they appear in the syntax.
For more information about netsh, see Netsh Overview and Enter a Netsh Context.
You must have the required permissions to run the netsh rpc commands:
- If you are a member of the Administrators
group, and User Account Control is enabled on your computer, run
the commands from a command prompt with elevated permissions. To
open a command prompt with elevated permissions, find the icon or
Start menu entry that you use to start a command prompt
session, right-click it, and then click Run as
administrator.
- If you are a member of the Network Operators
group, you can run the commands from any command prompt.
- If you are a not a member of Administrators
or Network Operators and you have not been delegated any other
permissions to run this command, you can run only the commands that
display the settings, not the commands that change the
settings.
To view the command syntax, click a command:
To view the command syntax for add commands in the RPC Filter context, click a command:
To view the command syntax for show commands in the RPC Filter context, click a command:
To view the command syntax for delete commands in the RPC Filter context, click a command:
For information on how to interpret netsh command syntax, see Formatting Legend.
Netsh RPC commands
The following entries provide details for each command.
filter
This command changes the command-line context to the netsh rpc filter subcontext. This subcontext is for running commands that set rules and conditions for RPC Firewall filtering.
Syntax
Copy Code | |
---|---|
filter |
Parameters
- add rule
- Adds an RPC Firewall Filter rule.
- add condition
- Adds a condition to an existing RPC Firewall Filter rule.
- add filter
- Adds an RPC Firewall Filter.
- show filter
- Displays a list of active RPC Firewall Filters.
- delete filter
- Deletes all active RPC Firewall Filters and the rules and conditions that are associated with those filters.
- delete rule
- Deletes the existing RPC Firewall Filter rules.
- /?
- Displays help at the command prompt.
add rule
Adds a rule to specify an action when a given condition is met. Rules and conditions are combined to specify RPC Firewall Filters.
Use the following order when you add rules, conditions, and filters:
- Add rule. The information in this "add rule" section provides
details for step 1 (adding rules), including syntax, parameters,
and allowed values.
- Add conditions.
- Add the filter that is created by the combination of rules and
conditions that you enter.
Syntax
Copy Code | |
---|---|
filter add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>] [[persistence=]volatile] [[audit=]enable] |
Parameters
The following sections provide information about the Layer tag and the values of the parameters that are associated with the Layer tag.
Layer tag
RPC Firewall layers represent abstract connection types. Each layer applies to a different aspect of an RPC connection. RPC Firewall layers are not directly related to RPC architectural components, but they are used to specify an aspect or type of RPC connection.
Tag |
Required |
Default |
Description |
Allowed values |
Layer |
Yes |
None |
Specifies an RPC communications protocol layer. |
Um, Epmap, Ep_add, Proxy_conn, Proxy_if |
Actiontype |
Yes |
None |
Describes the action to take for the specified layer: block the item, permit the item to invoke a function that executes in another process, or continue processing the rule. |
Block, Permit, Continue |
Filterkey |
No |
A randomly generated Universally Unique Identifier (UUID) |
A 128-bit, unique identifier to uniquely identify this filter. |
UUID |
Persistence |
No |
Persistent |
Persists or does not persist if the system is restarted. |
Persistent, Volatile |
Audit |
No |
Disabled |
Allows auditing of the process or does not audit the process. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events where a rule would have been applied. |
Enabled, Disabled |
Allowed values for the Layer tag
Value |
Name |
Description |
um |
User Mode layer |
An RPC communications protocol layer that is used for high-level policies, such as filtering on a user or application identity. |
epmap |
The Endpoint Mapper layer |
An RPC communications protocol layer that is used to write interface-specific rules. |
ep_add |
Endpoint Addition layer |
A layer that allows dynamic or static endpoint ports to be added for each interface. These layers are not used for filtering. Instead, they are containers that specify an interface and an endpoint to add to the process hosting the interfaces. |
proxy_conn |
RPC Proxy Connect layer |
An RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role. |
proxy_if |
RPC Proxy Interface layer |
An RPC communications protocol layer that is used to write interface-specific rules for an RPC proxy role. |
Allowed values for the Actiontype tag
Value |
Description |
Block |
Does not allow the specified item access over RPC. |
Permit |
Allows the specified item access over RPC. |
Continue |
Does not allow the specified item access over RPC until all rules in the filter are run. Access is based on the cumulative results of all the rules in the filter. |
Allowed values for the Filterkey tag
Value |
Name |
Description |
UUID |
Universally Unique Identifier |
A unique, 128-bit identifier that identifies this filter. |
Allowed values for the Persistence tag
Value |
Description |
Persistent |
The value is stored on the disk and persists through a system restart. This is the default value. |
Volatile |
The value is not stored. If the system is restarted, the value is lost. |
Allowed values for the Audit tag
Value |
Description |
||
Enabled |
Specifies that the RPC filtering engine runs in Audit mode. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events when a rule would be applied.
|
||
Disabled |
Specifies that the RPC filtering engine does not run in Audit mode. Instead, the RPC filtering engine actively filters traffic and applies the filtering rules. This is the default value. |
Examples
The following example adds a rule to block RPC traffic that matches the given condition. This rule applies to the user mode (um) layer. A specific filter key identifies the filter.
Copy Code | |
---|---|
add rule layer=um actiontype=block |
The following example is a rule to add an endpoint to an interface. The rule references a specific filterkey. This is the only rule that is necessary for adding a dynamic endpoint to an interface.
Copy Code | |
---|---|
add rule layer=ep_add actiontype=permit filterkey=11111111-2222-3333-4444-555555555555 |
add condition
Adds a condition that must be met so that a filtering rule can be applied. Conditions are combined with rules to specify RPC Firewall Filters.
Use the following order when you add rules, conditions, and filters:
- Add rule.
- Add conditions. The information in this "add condition" section
provides details for step 2, including syntax, parameters, and
allowed values
- Add the filter that is created by the combination of rules and
conditions that you enter.
Syntax
Copy Code | |
---|---|
Filter add condition [field=]<string> [matchtype=]<string> [data=]<string> |
Parameters
See the following tables for the add condition parameters and their values. The filtering engine checks that the condition you specify is met before the associated rule is run and the filtering is applied. An administrator can use the parameters and their values to fine-tune the filter so that it applies only to the specified RPC port, interface, or transport.
Tag |
Required |
Default |
Description |
Allowed Values |
Field |
Yes |
None |
Identifies the RPC field where the condition applies. The allowed values of the field tag vary, depending on the layer that is specified in the filtering rule. |
See the tables in the section "Allowed values for the Field tag by Layer." |
MatchType |
Yes |
None |
Defines the type of comparison to perform on a given field. |
See the tables in the section "Allowed values for the MatchType tag." |
Data |
Yes |
None |
The data that is used for making comparisons to the value in the field to determine whether your condition is met or not met. The data is compared to the value using the comparison that is defined in the MatchType tag. |
The value that is allowed for the Data tag varies for each field that is specified. |
Allowed values for the Field tag by Layer
The allowed values for the Field tag depend on the RPC layer to which the rules apply. For each layer, there is a set of allowed Field values. The layer is specified in the add rule command. The following tables describe the allowed values for the Field tag by RPC layer.
Allowed values for the User Mode Layer
The following values for filtering are allowed for User Mode (UM) Layer conditions. There are no required fields for UM Layer conditions.
Allowed value | Description |
---|---|
if_uuid |
The 128-bit interface UUID. The UUID is formatted as follows: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX |
if_version |
The version of the interface as defined in the RPC Interface Definition Language (IDL) file. This is a decimal number For information about the IDL file, see RPC Architecture (http://go.microsoft.com/fwlink/?LinkId=108499). |
if_flag |
The RPF Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag as described in the following list.
For example, to create a condition to block a DCOM activation, use the following command: Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001 |
dcom_app_id |
The UUID of the DCOM application where the condition is applied. The UUID is formatted as follows: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX For information about application identifiers, see DCOM Architecture (http://go.microsoft.com/fwlink/?LinkId=108500). |
image_name |
The name of the executable image. It is specified with an s preceding the name if the name is given in ASCII or with a w if the name is Unicode. For example, to apply this condition on Image.exe, use the following command: Netsh rpc filter add condition field=image_name matchtype=equal data=simage.exe |
protocol |
The protocol over which to block. It must be one of the following strings: NCACN_IP_TCP to indicate the TCP protocol NCACN_NP to indicate the named pipes protocol For example, to create a rule that applies to the TCP protocol, use the following command: netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP |
auth_type |
The authentication service type. The value is specified as a decimal number. For more information about authentication service types, see Authentication-Service Constants (http://go.microsoft.com/fwlink/?LinkId=107910). |
auth_level |
The authentication-level constant. This value represents authentication levels that are passed to various run-time functions. The value is specified as a decimal number in increasing order, starting with 0. For more information about authentication-level constants, see Authentication-Level Constants (http://go.microsoft.com/fwlink/?LinkId=107912). |
sec_encrypt_alg |
The certificate-based, security service provider interface (SSPI) encryption algorithm. |
sec_key_size |
The certificate-based, SSPI encryption key size. |
remote_user_token |
A data structure that contains authentication and authorization information for a remote user. |
local_addr_v4 |
The local IP version 4 (IPv4) address over which to apply the condition. The data is in hexadecimal 0x notation. |
local_addr_v6 |
The local IP version 6 (IPv6) address over which to apply the condition. The data is in standard colon notation. |
remote_addr_v4 |
The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation. |
remote_addr_v6 |
The remote IPv6 address over which to apply the condition. The data is in standard colon notation. |
local_port |
The local port where the condition is applied. The port is a decimal number. |
pipe |
The remote named pipe that provides communication between processes on different computers. |
Allowed values for the Endpoint Mapper (EPMAP) Layer
The following values for filtering are allowed for EPMAP Layer conditions. Conditions for the EPMAP layer are used to create interface-specific rules. If_uuid and if_version are both required values. The if_uuid value must be the first value that is specified
Value |
Description |
if_uuid |
The 128-bit, interface UUID. The UUID is formatted as follows: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX The if_uuid is a required value for the EPMAP Layer, and it must be the first value that is specified. |
if_version |
The version of the interface as defined in the RPC IDL file. This is a decimal number The if_version field is a required value for the EPMAP Layer, and it must be the second value that is specified. |
protocol |
The protocol over which to block. It must be one of the following strings: NCACN_IP_TCP, to indicate the TCP protocol NCACN_NP, to indicate the named pipes protocol For example, to create a rule that applies to the TCP protocol, use the following command: netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP |
auth_type |
The authentication service type. For more information about authentication service types, see Authentication-Service Constants (http://go.microsoft.com/fwlink/?LinkID=107910). The value is specified as a decimal number. |
auth_level |
The authentication-level constant. This represents authentication levels that are passed to various run-time functions. For more information about authentication-level constants, see Authentication-Level Constants (http://go.microsoft.com/fwlink/?LinkID=107912). The value is specified as a decimal number in increasing order starting with 0. |
sec_encrypt_alg |
The certificate-based, SSPI encryption algorithm. |
sec_key_size |
The certificate-based, SSPI encryption key size. |
remote_user_token |
A data structure that contains authentication and authorization information for a remote user. |
local_addr_v4 |
The local IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation. |
local_addr_v6 |
The local IPv6 address over which to apply the condition. The data is in standard colon notation. |
remote_addr_v4 |
The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation. |
remote_addr_v6 |
The remote IPv6 address over which to apply the condition. The data is in standard colon notation. |
local_port |
The local port on which to apply the condition. The port is a decimal number. |
pipe |
The remote named pipe that provides communication between processes on different computers. |
Allowed values for the Proxy Interface (PROXY_IF) layer
The following values for filtering are allowed for PROXY_IF Layer conditions. The proxy_if layer applies to interface-specific conditions and rules on an RPC proxy. The if_uuid value is required, and it must be the first value that is specified.
Value |
Description |
if_uuid |
The 128-bit interface UUID. The UUID is formatted as follows: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX The if_uuid value is required, and it must be the first value that is specified. |
if_version |
The version of the interface as defined in the RPC IDL file. This is a decimal number. |
server_name |
The name of the server that is the target for the condition. The name is specified as a string, preceded by s for ASCII or w for Unicode. |
server_port |
The server port that is the target for the condition. The port is specified as a decimal value. |
proxy_auth_type |
The RPC proxy authentication service type. |
client_token |
A data structure that contains authentication and authorization information for the client when it is using an RPC proxy. |
client_cert_oid |
The object identifier in the client certificate. |
cert_key_length |
The SSL key length in the client certificate. |
Allowed values for the Endpoint Addition (EP_ADD) layer
The following values for filtering are allowed for EP_ADD Layer conditions. The EP_ADD layer allows dynamic or static ports to be added to interfaces at run time, regardless of the application. The process_with_if_uuid value is required for the EP_ADD layer, and it must be the first value that is specified. The protocol value is required for the EP_ADD layer, and it must be the second value that is specified.
Value |
Description |
process_with_if_uuid |
The UUID of the interface on which to add the dynamic endpoint port. This value is required, and it must be the first value that is specified. |
Protocol |
The protocol over which to block. It must be one of the following strings: NCACN_IP_TCP, to indicate the TCP protocol. NCACN_NP, to indicate the named pipes protocol. For example, to create a rule that applies to the TCP protocol, use the following command: netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP The protocol value is a required value for the EP_ADD layer, and it must be the second value that is specified. |
ep_value |
The port on which to add the endpoint. The value is specified as a decimal value. If it is not specified, a dynamic endpoint, rather than a static endpoint port, is added to the interface. |
ep_flags |
The RPC Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag is described as follows. Flag: RPC_FW_IF_FLAG_DCOM Value: 0x0001 Description: This flag indicates that the condition applies to DCOM activations or calls to DCOM interfaces. For example, to create a condition to block a DCOM activation, use the following command: Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001 |
Allowed values for the Proxy Connect (PROXY_CONN) layer
The following values for filtering are allowed for PROXY_CONN Layer conditions. The PROXY_CONN layer is an RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.
Value |
Description |
server_name |
The name of the target server that the condition applies to. This is specified as a string preceded with s for ASCII or w for Unicode. |
server_port |
The target server port that the condition applies to. This is specified as a decimal value. |
proxy_auth_type |
The RPC proxy authentication service type. |
client_token |
The client user identity that is produced by the front-end authentication. |
client_cert_key_name |
The client certificate key name. |
client_cert_oid |
The object identifier in the client certificate. |
Allowed values for the MATCHTYPE tag
The match type specifies the type of comparison to perform on a given value.
Value |
Description |
Equal |
Tests whether the value is equal to the condition value. |
Greater |
Tests whether the value is greater than the condition value. |
Less |
Tests whether the value is less than the condition value. |
Greater or equal |
Tests whether the value is greater than or equal to the condition value. |
Less or equal |
Tests whether the value is less than or equal to the condition value. |
Range |
Tests whether the value is within a given range of condition values. |
All set |
Tests whether all flags are set. |
Any set |
Tests whether any flags are set. |
None set |
Tests whether no flags are set. |
add filter
You can specify the rule and the conditions and run the add filter command, which takes those rules and conditions and adds them as a filter to the firewall. You must already have added at least one rule and one condition.
Use the following order when you add rules, conditions, and filters:
- Add rule.
- Add conditions.
- Add the filter that is created by the combination of rules and
conditions that you enter. This "add filter" section provides the
syntax.
Syntax
Copy Code | |
---|---|
filter add filter |
Parameters
This command has no parameters. The command combines the rule and conditions to create an RPC Firewall Filter.
show filter
Lists the active RPC Firewall Filters.
Syntax
Copy Code | |
---|---|
filter show filter |
Parameters
This command has no parameters. This command lists the currently active RPC filters.
delete filter
Deletes all active RPC Firewall Filters.
Syntax
Copy Code | |
---|---|
filter delete filter.<filter key> |
Parameters
Value | Description |
---|---|
All |
Deletes all filters. Removes all filters and all rules and conditions that are associated with the filters. |
<GUID> |
Globally unique identifier (GUID). The 128-bit filter identifier. This value is specified in the filterkey tag when you use the add filter command or it is automatically generated. If it is not specified, you can find the filter key by running the show filter command. The identifier is specified in the following notation: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX |
Remarks
Deleting an RPC Firewall Filter deletes the rules and conditions that are associated with the filter.
Example
The following example deletes all RPC Firewall Filters:
Copy Code | |
---|---|
delete filter filterkey=all |
The following example deletes the filter identified by filter key 11111111-2222-3333-4444-555555555555:
Copy Code | |
---|---|
Delete filter filterkey=11111111-2222-3333-4444-555555555555 |
delete rule
Deletes the current RPC Firewall Filter rule.
Syntax
Copy Code | |
---|---|
filter delete rule |
Parameters
This command has no parameters. This command deletes the current RPC Firewall Filter rule. The command deletes the firewall filter rule and associated conditions.
Examples of RPC Firewall Filter commands
The following examples demonstrate the use of RPC Firewall Filters in real-world situations.
To block all RPC connections over TCP:
Copy Code | |
---|---|
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=protocol matchtype=equals data= NCACN_IP_TCP netsh rpc filter add filter |
To block RPC connections on port 12345:
Copy Code | |
---|---|
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=local_port matchtype=equals data=12345 netsh rpc filter add filter |
To block RPC connections from server 192.168.1.1:
Copy Code | |
---|---|
netsh rpc filter add rule layer=um actiontype=block netsh rpc filter add condition field=remot_addr_v4 matchtype=equals data=0xC0A80101 netsh rpc filter add filter |
To add a dynamic endpoint for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:
Copy Code | |
---|---|
netsh rpc filter add rule layer=ep_add actiontype=permit netsh rpc filter add condition field= process_with_if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=protocol matchtype=equal data=ncacn_ip_tcp netsh rpc filter add filter |
To block RPC connections for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:
Copy Code | |
---|---|
netsh rpc filter add rule layer=epmap actiontype=block netsh rpc filter add condition field=if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111 netsh rpc filter add condition field=if_version matchtype=equal data=1 netsh rpc filter add filter |
For an RPC proxy, it is possible to block RPC connections through the RPC proxy where the target server is named TargetServer:
Copy Code | |
---|---|
netsh rpc filter add rule layer=proxy_conn actiontype=block netsh rpc filter add condition field=server_name matchtype=equals data=sTargetServer netsh rpc filter add filter |