Netsh Commands for Remote Procedure Call (RPC)

Applies To: Windows Server 2008

netshrpc is a command-line tool that you can use to create remote procedure call (RPC) Firewall Filters and the rules and conditions that are associated with the filters.

You can run the Netsh RPC commands from the command prompt for the netsh rpc context. For these commands to work at the Windows Server 2008 command prompt, you must type netsh rpc before typing commands and parameters as they appear in the syntax.

For more information about netsh, see Netsh Overview and Enter a Netsh Context.

You must have the required permissions to run the netsh rpc commands:

  • If you are a member of the Administrators group, and User Account Control is enabled on your computer, run the commands from a command prompt with elevated permissions. To open a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator.

  • If you are a member of the Network Operators group, you can run the commands from any command prompt.

  • If you are a not a member of Administrators or Network Operators and you have not been delegated any other permissions to run this command, you can run only the commands that display the settings, not the commands that change the settings.

To view the command syntax, click a command:

  • filter

To view the command syntax for add commands in the RPC Filter context, click a command:

  • add rule

  • add condition

  • add filter

To view the command syntax for show commands in the RPC Filter context, click a command:

  • show filter

To view the command syntax for delete commands in the RPC Filter context, click a command:

  • delete filter

  • delete rule

For information on how to interpret netsh command syntax, see Formatting Legend.

Netsh RPC commands

The following entries provide details for each command.

filter

This command changes the command-line context to the netsh rpc filter subcontext. This subcontext is for running commands that set rules and conditions for RPC Firewall filtering.

Syntax

filter

Parameters

  • add rule
    Adds an RPC Firewall Filter rule.
  • add condition
    Adds a condition to an existing RPC Firewall Filter rule.
  • add filter
    Adds an RPC Firewall Filter.
  • show filter
    Displays a list of active RPC Firewall Filters.
  • delete filter
    Deletes all active RPC Firewall Filters and the rules and conditions that are associated with those filters.
  • delete rule
    Deletes the existing RPC Firewall Filter rules.
  • /?
    Displays help at the command prompt.

add rule

Adds a rule to specify an action when a given condition is met. Rules and conditions are combined to specify RPC Firewall Filters.

Use the following order when you add rules, conditions, and filters:

  1. Add rule. The information in this "add rule" section provides details for step 1 (adding rules), including syntax, parameters, and allowed values.

  2. Add conditions.

  3. Add the filter that is created by the combination of rules and conditions that you enter.

Syntax

filter add rule [layer=]<string> [actiontype=]<string> [[filterkey=]<string>] [[persistence=]volatile] [[audit=]enable]

Parameters

The following sections provide information about the Layer tag and the values of the parameters that are associated with the Layer tag.

Layer tag

RPC Firewall layers represent abstract connection types. Each layer applies to a different aspect of an RPC connection. RPC Firewall layers are not directly related to RPC architectural components, but they are used to specify an aspect or type of RPC connection.

Tag

Required

Default

Description

Allowed values

Layer

Yes

None

Specifies an RPC communications protocol layer.

Um, Epmap, Ep_add, Proxy_conn, Proxy_if

Actiontype

Yes

None

Describes the action to take for the specified layer: block the item, permit the item to invoke a function that executes in another process, or continue processing the rule.

Block, Permit, Continue

Filterkey

No

A randomly generated Universally Unique Identifier (UUID)

A 128-bit, unique identifier to uniquely identify this filter.

UUID

Persistence

No

Persistent

Persists or does not persist if the system is restarted.

Persistent, Volatile

Audit

No

Disabled

Allows auditing of the process or does not audit the process. In Audit mode, rules are not applied and traffic is not filtered. Instead, the RPC filtering engine logs events where a rule would have been applied.

Enabled, Disabled

Allowed values for the Layer tag

Value

Name

Description

um

User Mode layer

An RPC communications protocol layer that is used for high-level policies, such as filtering on a user or application identity.

epmap

The Endpoint Mapper layer

An RPC communications protocol layer that is used to write interface-specific rules.

ep_add

Endpoint Addition layer

A layer that allows dynamic or static endpoint ports to be added for each interface. These layers are not used for filtering. Instead, they are containers that specify an interface and an endpoint to add to the process hosting the interfaces.

proxy_conn

RPC Proxy Connect layer

An RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.

proxy_if

RPC Proxy Interface layer

An RPC communications protocol layer that is used to write interface-specific rules for an RPC proxy role.

Allowed values for the Actiontype tag

Value

Description

Block

Does not allow the specified item access over RPC.

Permit

Allows the specified item access over RPC.

Continue

Does not allow the specified item access over RPC until all rules in the filter are run. Access is based on the cumulative results of all the rules in the filter.

Allowed values for the Filterkey tag

Value

Name

Description

UUID

Universally Unique Identifier

A unique, 128-bit identifier that identifies this filter.

Allowed values for the Persistence tag

Value

Description

Persistent

The value is stored on the disk and persists through a system restart. This is the default value.

Volatile

The value is not stored. If the system is restarted, the value is lost.

Allowed values for the Audit tag

Note

Value

Disabled

Specifies that the RPC filtering engine does not run in Audit mode. Instead, the RPC filtering engine actively filters traffic and applies the filtering rules. This is the default value.

Examples

The following example adds a rule to block RPC traffic that matches the given condition. This rule applies to the user mode (um) layer. A specific filter key identifies the filter.

add rule layer=um actiontype=block

The following example is a rule to add an endpoint to an interface. The rule references a specific filterkey. This is the only rule that is necessary for adding a dynamic endpoint to an interface.

add rule layer=ep_add actiontype=permit filterkey=11111111-2222-3333-4444-555555555555

add condition

Adds a condition that must be met so that a filtering rule can be applied. Conditions are combined with rules to specify RPC Firewall Filters.

Use the following order when you add rules, conditions, and filters:

  1. Add rule.

  2. Add conditions. The information in this "add condition" section provides details for step 2, including syntax, parameters, and allowed values

  3. Add the filter that is created by the combination of rules and conditions that you enter.

Syntax

Filter add condition [field=]<string> [matchtype=]<string> [data=]<string> 

Parameters

See the following tables for the add condition parameters and their values. The filtering engine checks that the condition you specify is met before the associated rule is run and the filtering is applied. An administrator can use the parameters and their values to fine-tune the filter so that it applies only to the specified RPC port, interface, or transport.

Tag

Required

Default

Description

Allowed Values

Field

Yes

None

Identifies the RPC field where the condition applies. The allowed values of the field tag vary, depending on the layer that is specified in the filtering rule.

See the tables in the section "Allowed values for the Field tag by Layer."

MatchType

Yes

None

Defines the type of comparison to perform on a given field.

See the tables in the section "Allowed values for the MatchType tag."

Data

Yes

None

The data that is used for making comparisons to the value in the field to determine whether your condition is met or not met. The data is compared to the value using the comparison that is defined in the MatchType tag.

The value that is allowed for the Data tag varies for each field that is specified.

Allowed values for the Field tag by Layer

The allowed values for the Field tag depend on the RPC layer to which the rules apply. For each layer, there is a set of allowed Field values. The layer is specified in the add rule command. The following tables describe the allowed values for the Field tag by RPC layer.

Allowed values for the User Mode Layer

The following values for filtering are allowed for User Mode (UM) Layer conditions. There are no required fields for UM Layer conditions.

Allowed value Description

if_uuid

The 128-bit interface UUID. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

if_version

The version of the interface as defined in the RPC Interface Definition Language (IDL) file. This is a decimal number For information about the IDL file, see RPC Architecture (https://go.microsoft.com/fwlink/?LinkId=108499).

if_flag

The RPF Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag as described in the following list.

  • Flag: RPC_FW_IF_FLAG_DCOM

  • Value: 0x0001

  • Description: This flag indicates the condition applies to DCOM activations or calls to DCOM interfaces.

For example, to create a condition to block a DCOM activation, use the following command:

Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001

dcom_app_id

The UUID of the DCOM application where the condition is applied. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

For information about application identifiers, see DCOM Architecture (https://go.microsoft.com/fwlink/?LinkId=108500).

image_name

The name of the executable image. It is specified with an s preceding the name if the name is given in ASCII or with a w if the name is Unicode. For example, to apply this condition on Image.exe, use the following command:

Netsh rpc filter add condition field=image_name matchtype=equal data=simage.exe

protocol

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP to indicate the TCP protocol

NCACN_NP to indicate the named pipes protocol

For example, to create a rule that applies to the TCP protocol, use the following command:

netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP

auth_type

The authentication service type. The value is specified as a decimal number.

For more information about authentication service types, see Authentication-Service Constants (https://go.microsoft.com/fwlink/?LinkId=107910).

auth_level

The authentication-level constant. This value represents authentication levels that are passed to various run-time functions. The value is specified as a decimal number in increasing order, starting with 0.

For more information about authentication-level constants, see Authentication-Level Constants (https://go.microsoft.com/fwlink/?LinkId=107912).

sec_encrypt_alg

The certificate-based, security service provider interface (SSPI) encryption algorithm.

sec_key_size

The certificate-based, SSPI encryption key size.

remote_user_token

A data structure that contains authentication and authorization information for a remote user.

local_addr_v4

The local IP version 4 (IPv4) address over which to apply the condition. The data is in hexadecimal 0x notation.

local_addr_v6

The local IP version 6 (IPv6) address over which to apply the condition. The data is in standard colon notation.

remote_addr_v4

The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

remote_addr_v6

The remote IPv6 address over which to apply the condition. The data is in standard colon notation.

local_port

The local port where the condition is applied. The port is a decimal number.

pipe

The remote named pipe that provides communication between processes on different computers.

Allowed values for the Endpoint Mapper (EPMAP) Layer

The following values for filtering are allowed for EPMAP Layer conditions. Conditions for the EPMAP layer are used to create interface-specific rules. If_uuid and if_version are both required values. The if_uuid value must be the first value that is specified

Value

Description

if_uuid

The 128-bit, interface UUID. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The if_uuid is a required value for the EPMAP Layer, and it must be the first value that is specified.

if_version

The version of the interface as defined in the RPC IDL file. This is a decimal number

The if_version field is a required value for the EPMAP Layer, and it must be the second value that is specified.

protocol

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol

NCACN_NP, to indicate the named pipes protocol

For example, to create a rule that applies to the TCP protocol, use the following command:

netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP

auth_type

The authentication service type. For more information about authentication service types, see Authentication-Service Constants (https://go.microsoft.com/fwlink/?LinkID=107910).

The value is specified as a decimal number.

auth_level

The authentication-level constant. This represents authentication levels that are passed to various run-time functions. For more information about authentication-level constants, see Authentication-Level Constants (https://go.microsoft.com/fwlink/?LinkID=107912).

The value is specified as a decimal number in increasing order starting with 0.

sec_encrypt_alg

The certificate-based, SSPI encryption algorithm.

sec_key_size

The certificate-based, SSPI encryption key size.

remote_user_token

A data structure that contains authentication and authorization information for a remote user.

local_addr_v4

The local IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

local_addr_v6

The local IPv6 address over which to apply the condition. The data is in standard colon notation.

remote_addr_v4

The remote IPv4 address over which to apply the condition. The data is in hexadecimal 0x notation.

remote_addr_v6

The remote IPv6 address over which to apply the condition. The data is in standard colon notation.

local_port

The local port on which to apply the condition. The port is a decimal number.

pipe

The remote named pipe that provides communication between processes on different computers.

Allowed values for the Proxy Interface (PROXY_IF) layer

The following values for filtering are allowed for PROXY_IF Layer conditions. The proxy_if layer applies to interface-specific conditions and rules on an RPC proxy. The if_uuid value is required, and it must be the first value that is specified.

Value

Description

if_uuid

The 128-bit interface UUID. The UUID is formatted as follows:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The if_uuid value is required, and it must be the first value that is specified.

if_version

The version of the interface as defined in the RPC IDL file. This is a decimal number.

server_name

The name of the server that is the target for the condition. The name is specified as a string, preceded by s for ASCII or w for Unicode.

server_port

The server port that is the target for the condition. The port is specified as a decimal value.

proxy_auth_type

The RPC proxy authentication service type.

client_token

A data structure that contains authentication and authorization information for the client when it is using an RPC proxy.

client_cert_oid

The object identifier in the client certificate.

cert_key_length

The SSL key length in the client certificate.

Allowed values for the Endpoint Addition (EP_ADD) layer

The following values for filtering are allowed for EP_ADD Layer conditions. The EP_ADD layer allows dynamic or static ports to be added to interfaces at run time, regardless of the application. The process_with_if_uuid value is required for the EP_ADD layer, and it must be the first value that is specified. The protocol value is required for the EP_ADD layer, and it must be the second value that is specified.

Value

Description

process_with_if_uuid

The UUID of the interface on which to add the dynamic endpoint port. This value is required, and it must be the first value that is specified.

Protocol

The protocol over which to block. It must be one of the following strings:

NCACN_IP_TCP, to indicate the TCP protocol.

NCACN_NP, to indicate the named pipes protocol.

For example, to create a rule that applies to the TCP protocol, use the following command:

netsh rpc filter add condition field=protocol matchtype=equal data=NCACN_IP_TCP

The protocol value is a required value for the EP_ADD layer, and it must be the second value that is specified.

ep_value

The port on which to add the endpoint. The value is specified as a decimal value. If it is not specified, a dynamic endpoint, rather than a static endpoint port, is added to the interface.

ep_flags

The RPC Firewall Interface flag. The value is a hexadecimal number in 0x notation. The recognized flag is described as follows.

Flag: RPC_FW_IF_FLAG_DCOM

Value: 0x0001

Description: This flag indicates that the condition applies to DCOM activations or calls to DCOM interfaces.

For example, to create a condition to block a DCOM activation, use the following command:

Netsh rpc filter add condition field=if_flag matchtype=equals data=0x0001

Allowed values for the Proxy Connect (PROXY_CONN) layer

The following values for filtering are allowed for PROXY_CONN Layer conditions. The PROXY_CONN layer is an RPC communications protocol layer that is used to write non-interface-specific rules for an RPC proxy role.

Value

Description

server_name

The name of the target server that the condition applies to. This is specified as a string preceded with s for ASCII or w for Unicode.

server_port

The target server port that the condition applies to. This is specified as a decimal value.

proxy_auth_type

The RPC proxy authentication service type.

client_token

The client user identity that is produced by the front-end authentication.

client_cert_key_name

The client certificate key name.

client_cert_oid

The object identifier in the client certificate.

Allowed values for the MATCHTYPE tag

The match type specifies the type of comparison to perform on a given value.

Value

Description

Equal

Tests whether the value is equal to the condition value.

Greater

Tests whether the value is greater than the condition value.

Less

Tests whether the value is less than the condition value.

Greater or equal

Tests whether the value is greater than or equal to the condition value.

Less or equal

Tests whether the value is less than or equal to the condition value.

Range

Tests whether the value is within a given range of condition values.

All set

Tests whether all flags are set.

Any set

Tests whether any flags are set.

None set

Tests whether no flags are set.

add filter

You can specify the rule and the conditions and run the add filter command, which takes those rules and conditions and adds them as a filter to the firewall. You must already have added at least one rule and one condition.

Use the following order when you add rules, conditions, and filters:

  1. Add rule.

  2. Add conditions.

  3. Add the filter that is created by the combination of rules and conditions that you enter. This "add filter" section provides the syntax.

Syntax

filter add filter 

Parameters

This command has no parameters. The command combines the rule and conditions to create an RPC Firewall Filter.

show filter

Lists the active RPC Firewall Filters.

Syntax

filter show filter

Parameters

This command has no parameters. This command lists the currently active RPC filters.

delete filter

Deletes all active RPC Firewall Filters.

Syntax

filter delete filter.<filter key>

Parameters

Value Description

All

Deletes all filters. Removes all filters and all rules and conditions that are associated with the filters.

<GUID>

Globally unique identifier (GUID). The 128-bit filter identifier. This value is specified in the filterkey tag when you use the add filter command or it is automatically generated. If it is not specified, you can find the filter key by running the show filter command. The identifier is specified in the following notation:

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Remarks

Deleting an RPC Firewall Filter deletes the rules and conditions that are associated with the filter.

Example

The following example deletes all RPC Firewall Filters:

delete filter filterkey=all

The following example deletes the filter identified by filter key 11111111-2222-3333-4444-555555555555:

Delete filter filterkey=11111111-2222-3333-4444-555555555555

delete rule

Deletes the current RPC Firewall Filter rule.

Syntax

filter delete rule

Parameters

This command has no parameters. This command deletes the current RPC Firewall Filter rule. The command deletes the firewall filter rule and associated conditions.

Examples of RPC Firewall Filter commands

The following examples demonstrate the use of RPC Firewall Filters in real-world situations.

To block all RPC connections over TCP:

netsh rpc filter add rule layer=um actiontype=block
netsh rpc filter add condition field=protocol matchtype=equals data= NCACN_IP_TCP
netsh rpc filter add filter

To block RPC connections on port 12345:

netsh rpc filter add rule layer=um actiontype=block
netsh rpc filter add condition field=local_port matchtype=equals data=12345
netsh rpc filter add filter

To block RPC connections from server 192.168.1.1:

netsh rpc filter add rule layer=um actiontype=block
netsh rpc filter add condition field=remot_addr_v4 matchtype=equals data=0xC0A80101
netsh rpc filter add filter

To add a dynamic endpoint for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:

netsh rpc filter add rule layer=ep_add actiontype=permit
netsh rpc filter add condition field= process_with_if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111
netsh rpc filter add condition field=protocol matchtype=equal data=ncacn_ip_tcp
netsh rpc filter add filter

To block RPC connections for version 1 of the interface with UUID 11111111-1111-1111-1111-111111111111:

netsh rpc filter add rule layer=epmap actiontype=block
netsh rpc filter add condition field=if_uuid matchtype=equal data=11111111-1111-1111-1111-111111111111
netsh rpc filter add condition field=if_version matchtype=equal data=1
netsh rpc filter add filter

For an RPC proxy, it is possible to block RPC connections through the RPC proxy where the target server is named TargetServer:

netsh rpc filter add rule layer=proxy_conn actiontype=block
netsh rpc filter add condition field=server_name matchtype=equals data=sTargetServer
netsh rpc filter add filter