2019年4月9日 星期二

為什麼TPAM會使用49154, 49155 port 連接受管目標主機?



49154 and 49155 Windows Server 內部定義的RPC dynamic port,當TPAM使用TCP/135和受管目標主機初始連接後,接下來會使用RPC dynamic port來做後續的連接。
WMI / DCOM from DPA/TPAM will need access to TCP/135 to initiate communication on the target. The subsequent conversation then continues on a random negotiated port.
On Windows 2003/XP this would be in the range 1025 - 5000 on Windows 7/Windows 2008 and above : 49152 - 65535.

TPAM的標準功能會使用WMI/DCOM access  target,沒有強制關閉的方式。

如果要避免TCP/135, 49154, 49155 的使用的話,
  1. 請確認沒有使用下列功能
- Managing service account passwords ("Change password for Windows Service started by this account" ticked)
- Managing scheduled task passwords ("Change password for Scheduled Tasks started by this account" ticked)
- Restarting a service ("Automatically restart such Services" ticked)
- Using Account Discovery on the target
- Using Event Capture on PSM sessions (Privileged Session Manager)


  1. 請確認每套windows server System->Deteils->Information-> 填寫Computer Name(用大寫英文字母),如果沒有填寫TPAM會使用WMI連接目標主機獲取主機名稱。


























參考資訊:
1. How to configure RPC dynamic port allocation to work with firewalls
2. https://support.oneidentity.com/kb/123021/ports-used-by-windows-or-windows-active-dir-platforms
3. https://support.oneidentity.com/tpam/kb/230930/which-tpam-features-use-wmi-and-which-do-not-