There are similar links for CE and Win32 implementations of RDP VC - check MSDN. ALEX From: teknica@xxxxxxxxxxxxx: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] Re: SV: Re: RPC and RDPDate: Fri, 2 Mar 2007 13:17:06 -0800 True statement. Check this:http://msdn2.microsoft.com/en-us/library/aa912846.aspxhttp://msdn2.microsoft.com/en-us/library/aa920229.aspxTons of info for developers but not admins. ALEX From: steveg@xxxxxxxxxxxxxxxx: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] Re: SV: Re: RPC and RDPDate: Fri, 2 Mar 2007 13:42:58 -0700 I agree that this is how it works, but it is funny, I have not been able to find any documentation stating that. Does anyone have anything from MS explaing their implementation of secondary services over RDP? Citrix has a clear explanation and architecture of virtual channels, but I have not found the same kind of information from MS…… Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85262 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Bob Coffman Jr - Info From Data Sent: Friday, March 02, 2007 12:24 PMTo: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] Re: SV: Re: RPC and RDP Yes, definitely mapped over a virtual channel. I duplicated the test that Tony ran, 3389 is the only port active with local drives mapped. - Bob Coffman -----Original Message-----From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Alex DanilychevSent: Friday, March 02, 2007 1:29 PMTo: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] Re: SV: Re: RPC and RDP Drives are mapped via VC. ALEX To: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] Re: SV: Re: RPC and RDPFrom: Anthony_Baldwin@xxxxxxxxxxxxx: Fri, 2 Mar 2007 12:53:49 -0500I logged into a W2K3 terminal server using RDP while running a netstat on my PC and I didn't see anything popup except port 3389. So, I'm guessing the drive mapping worked over 3389. The client drives do show up on the terminal server under 'net use' listing, though. I guess a network sniff would tell for sure. Tony "Steve Greenberg" <steveg@xxxxxxxxxxxxxx> Sent by: thin-bounce@xxxxxxxxxxxxx 03/02/2007 12:42 PM Please respond tothin@xxxxxxxxxxxxx To <thin@xxxxxxxxxxxxx> cc Subject [THIN] Re: SV: Re: RPC and RDP I know for sure with ICA that the file transfer traffic is encapsulated inICA and runs over the standard port 1494. With RDP, I *think* it is the sameway over port 3389, however, I am strangely unable to find any documentationsupporting that in the books at my desk or at the MS web site. Does anyonehave a definitive answer to this?? I am pretty sure that if you only allow 3389 that there will not be anyNetBios style direct communication to the file share, but again, I am havinga hard time finding a definitive technical reference on this.... Steve GreenbergThin Client Computing34522 N. Scottsdale Rd D8453Scottsdale, AZ 85262(602) 432-8649www.thinclient.netsteveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On BehalfOf Johan MartensSent: Friday, March 02, 2007 10:03 AMTo: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] SV: Re: RPC and RDPYes I know when they connect true VPN as they are in the LAN. BUT not if youuse the firewall like we do since you can make a policy in it and only allowtraffic on port 3389. So if we have this scenario and connect with RDP andthe client also mapp is local drives to the RDP will he use same functionsas he does as if he just connect to a server true the LAN - NETBIOS.... ?And IF so is it same for ICA protocol?I am sorry but my english is not good enough to explain how RPC works as apart in the file sharing.BUT maybe this will give a hint?The first DCOM hole was discovered on the client side, where supplyingarbitrarily large and malformed parameters via the local DCOM API caused alocal program crash. The exploit took advantage of a buffer overflowregarding the NetBIOS name portion of a fileshare name. If the NetBIOS nameis above 32 bytes in length supplied to the CoGetInstanceFromFile ()function, it would cause a crash in RPCSS.EXE and kill the Microsoft RPCservice. Eventually LSD made the jump to remotely exploiting the problem byhand crafting DCOM request packets that contained the malformed parameter Best regards JohanMed vänlig hälsning Johan MartensTeknik/Agdadrift avdelningen.Agda Lön ABLångskeppsgatan 9, 262 71 Ängelholm Tel 0431-44 94 00 Fax 0431-160 13 mailto:johan@xxxxxxxxxxxxxxxxxx _____ Från: thin-bounce@xxxxxxxxxxxxx genom Steve GreenbergSkickat: fr 2007-03-02 17:12Till: thin@xxxxxxxxxxxxxÄmne: [THIN] Re: RPC and RDPCan you explain how RPC works as part of file sharing? When you grant VPNaccess in this fashion the end user does have the same access as if theywere local, I just don't know how RPC works as part of CIFS file sharing....Steve GreenbergThin Client Computing34522 N. Scottsdale Rd D8453Scottsdale, AZ 85262(602) 432-8649www.thinclient.netsteveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On BehalfOf Johan MartensSent: Friday, March 02, 2007 3:10 AMTo: thin@xxxxxxxxxxxxxxxxxxxx: [THIN] RPC and RDPHi guys,I had a discussion with my boss the other day about RPC and RDP.If one of our employees connect to our firewall true VPN and then connect toa Terminal server and the map local drives are mapped true the session. Isit possible for a virus which uses RPC to go true this session, eg does theRDP protocol use the RPC to map the drives like ordinary windows drivemapping does?Thansk for answersBest regardsJohan