BigFix Tuning: Configure TCP/IP: Exclude BES WebUI API Port from Ephemeral Port Ranges
Log In or Register to download the BES file, and more.

0 Votes

Description

Excludes the BigFix WebUI API Port 52315 from being used by Ephemeral Port Ranges

https://forum.bigfix.com/t/problem-fix-with-bes-support-765-reserve-port-for-bes-client-for-dns-servers-windows-2008-2008-r2-windows-2012-2012-r2-windows-2016/23004

https://support.microsoft.com/en-us/topic/you-cannot-exclude-ports-by-using-the-reservedports-registry-key-in-windows-server-2008-or-in-windows-server-2008-r2-a68373fd-9f64-4bde-9d68-c5eded74ea35

Windows stores Port Range Exclusions depending upon protocol:

IPv4/IPv6 TCP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\29

IPv4/IPv6 UDP: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a02-9b1a-11d4-9123-0050047759bc}\5

Interestingly, there are separate netsh commands for ipv4 and ipv6, but the same keys are updated - a given tcp or udp exclusion apply to both ipv4 and to ipv6.

WIthin each Key, range exclusions are stored in REG_BINARY values.

The Name of the value indicates the starting port (first four bytes of name) and the number of excluded ports (next four bytes of the name, in byte-swapped order).

For example, the value named "cc570100" first 4 bytes is cc57, hexadecimal for integer 52311.  The next four bytes are in byte-swapped order and should be read as 0001, or 1 port reserved.

The value of the value, "1200ffff" indicates this is a "range" exclusion type.

Useful sample queries:

TCP exclusions in Registry:

q: ((hexadecimal integer (first 4 of it), (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it) of names of it, it) of values of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\29" of registry

UDP exclusions in Registry:

q: ((hexadecimal integer (first 4 of it), (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it) of names of it, it) of values of keys "HKLM\System\CurrentControlSet\Control\Nsi\{eb004a02-9b1a-11d4-9123-0050047759bc}\5" of registry

 

Sample Validation (command-line):

C:\>netsh int ipv4 show excludedportrange tcp

Protocol tcp Port Exclusion Ranges

Start Port    End Port
----------    --------
     52315       52315     *

* - Administered port exclusions.

 


Property Details

ID27007
StatusBeta - Preliminary testing ready for more
TitleBigFix Tuning: Configure TCP/IP: Exclude BES WebUI API Port from Ephemeral Port Ranges
DomainBESC
SourceHCL Lab Services
Source Release Date2/2/2019 12:00:00 AM
KeywordsTCP, port, exclude, ephemeral
Added by on 8/4/2023 8:35:41 AM
Last Modified by on 8/4/2023 8:35:41 AM
Counters 903 Views / 3 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 20 fixlets and 16 analyses   * Results in a true/false
Show indented relevance
windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists main gather service /* applicable only to bes root server */
Used in 1 fixlet   * Results in a true/false
Show indented relevance
/* TCP exclusion is not present, with a start port at or below 52315 and end port at or above 52315 */ not exists (((hexadecimal integer (first 4 of it), (hexadecimal integer (first 4 of it)) + (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it - 1) of names of it) of values whose (it as string = "1200ffff") of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\29" of registry) whose (item 0 of it <= 52315 and item 1 of it >= 52315)

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
action uses wow64 redirection false

parameter "portnumber_int"="52315"
parameter "portnumber_hex"="{parameter "portnumber_int" as integer as hexadecimal}"
parameter "valuename"="{parameter "portnumber_hex"}0100"

// While both ipv4 and ipv6 exclusions end up in the same place in the Registry, will use the netsh commands for each
// to protect against systems that may not have both ipv4 and ipv6 enabled

wait netsh int ipv4 add excludedportrange tcp {parameter "portnumber_int"} 1

wait netsh int ipv6 add excludedportrange tcp {parameter "portnumber_int"} 1

// In some cases, have found the exclusion cannot be applied while a process (like BESRootServer) actively has the port locked. In that case, add the reg edit manually
// and flag for required restart

// TCP check - check whether there is an exclusion in registry with a start port below or equal to 52311 and end point above or equal to 52311.
// This exclusion may have just been added by the netsh command above, or netsh may have failed because the port was in use (by BESRootServer or conflicting application)
// If the netsh failed, manually add a new one-port exclusion to registry and flag for 'reboot required'
if {not exists (((hexadecimal integer (first 4 of it), (hexadecimal integer (first 4 of it)) + (hexadecimal integer (it)) of concatenation of characters (6;7;4;5) of it - 1) of names of it) of values whose (it as string = "1200ffff") of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}}\29" of registry) whose (item 0 of it <= (parameter "portnumber_int" as integer) and item 1 of it >= (parameter "portnumber_int" as integer) )}
// Name of the value that should be applied in the Registry - "cc5b0100" for the default port 52315 and range of 1 port to exclude
regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{{eb004a03-9b1a-11d4-9123-0050047759bc}\29]" "{parameter "valuename"}"=hex:12,00,ff,ff
action requires restart "bes_webui_tcp_port_exclusion"
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!