Block remote MS-EVEN functionality with RPC Filters
If Microsoft EventLog Remoting Protocol (MS-EVEN) is not required, administrators should block the remote MS-EVEN functionality on the vulnerable host using RPC filters.
-
- Create a text file with the following content:
rpc filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=82273FDC-E32A-18C3-3F78-827929DC23EA add filter quit
- Use the netsh command line utility to import the RPC filter from an elevated administrator prompt:
netsh -f <FILTER_FILE_NAME>
- To confirm the filters are in place, you can view the current RPC filters using the following command:
netsh rpc filter show filter
- Create a text file with the following content:
See CERT Coordination Center Vulnerability Note VU:#405600 for additional details on protecting Active Directory Certificate Services from NTLM relay attacks.