Block remote EFSRPC functionality with RPC Filters
If Microsoft Encrypted File System Remote Protocol (MS-EFSRPC) is not required, administrators should block the remote EFSRPC functionality on the vulnerable host using RPC filters.
-
- Create a text file with the following content:
rpc
filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=c681d488-d850-11d0-8c52-00c04fd90f7e
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=df1941c5-fe89-4e79-bf10-463657acf44d
add filter
quit - Use the netsh command line utility to import the RPC filter from an elevated administrator prompt:
netsh -f <FILTER_FILE_NAME> - To confirm the filters are in place, you can view the current RPC filters using the following command:
netsh rpc filter show filter
- Create a text file with the following content:
See CERT Coordination Center Vulnerability Note VU:#405600 for additional details.