信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

是一个PPT 写的图文并茂 非常详细...
英语好的 不妨来读一下 很有提高的：）

原始连接：http://hsc.fr/ressources/articles/win_net_srv/index.html

Revision History
	22 0ctober 2003
Initial version.
	5 July 2004
Major update
	19 October 2004
Port to the docbook typesetting system
	20 January 2005
Major update of the NULL sessions section, including new information about Windows XP SP2 and Windows Server 2003 SP1.
	19 March 2005
Additional details about NULL session restrictions for samr and lsarpc interfaces on Windows XP and Windows Server 2003 (including for Active Directory domain controllers).
	31 May 2005
Many small fixes, additions and reordering of sections.
	$LastChangedDate: 2005-06-01 17:44:01 +0200 (Wed, 01 Jun 2005) $
Last update

---

Table of Contents

1. Introduction

2. TCP/IP stack

2.1. General architecture

2.2. No privileged ports

2.3. Dynamic ports allocation

2.4. Identifying opened ports

2.4.1. netstat command

2.4.2. Identifying processes behind sockets

2.5. Sockets binding and hijacking

2.5.1. SO_EXCLUSIVEADDRUSE socket option

2.5.2. Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a

2.5.3. Multiple sockets bindings

2.5.4. What happens when SO_EXCLUSIVEADDRUSE is not used?

2.5.5. Windows services and drivers protected against socket hijacking

2.5.6. Global protection against socket hijacking

2.5.7. Diagnosing socket binding problems

2.6. The missing network loopback interface

3. SMB/CIFS

3.1. SMB/CIFS protocol

3.2. NetBIOS over TCP/IP

3.3. SMB transports

4. MSRPC, a.k.a. Microsoft implementation of DCE RPC

4.1. Introduction to MSRPC

4.2. DCE RPC Interface

4.3. DCE RPC transports

4.4. RPC services registration

4.5. DCE RPC over named pipes, a.k.a DCE RPC over SMB

4.5.1. Named pipes

4.5.2. Named pipes used as DCE RPC endpoints

4.5.3. Well-known DCE RPC named pipes endpoints

4.6. NULL sessions

4.6.1. Introduction

4.6.2. Enabling NULL sessions restrictions

4.6.3. The ANONYMOUS LOGON network logon session

4.6.4. Restrictions at the share level

4.6.5. Restrictions on named pipes (IPC$ share)

4.6.6. Hardcoded named pipes

4.6.7. Named pipes permissions

4.6.8. Named pipes firewall in Windows XP SP2 and Windows Server 2003 SP1

4.6.9. NULL sessions restrictions settings in Windows 2000

4.6.10. NULL sessions restrictions settings in Windows XP and Windows Server 2003

4.6.11. NULL session restrictions for the samr interface in Windows XP and Windows Server 2003

4.6.12. NULL session restrictions for the lsarpc interface in Windows XP and Windows Server 2003

4.6.13. NULL sessions restrictions for the samr interface on Active Directory domain contollers

4.6.14. NULL sessions restrictions for the lsarpc interface on Active Directory domain contollers

4.6.15. NULL sessions restrictions of server and workstation RPC operations

4.7. RPC services listening on named pipes

4.7.1. lsarpc interface

4.7.2. dssetup interface

4.7.3. samr interface

4.7.4. netlogon interface

4.7.5. browser interface

4.7.6. eventlog interface

4.7.7. netdfs interface

4.7.8. srvsvc interface

4.7.9. svcctl interface

4.7.10. winreg interface

4.7.11. wkssvc interface

4.7.12. pnp interface

4.8. RPC services over TCP/IP

4.8.1. Portmapper RPC service

4.8.2. RPC services running in the rpcss service

4.8.3. DCOM-related RPC interfaces running in the rpcss service

4.8.4. ORPC services running in the rpcss service

4.9. Windows services running RPC services over TCP/IP

4.9.1. Messenger service

4.9.2. Scheduler service

4.9.3. WINS service

4.9.4. IIS services

4.9.5. Message Queuing and Distributed Transaction Coordinator services

4.9.6. Active Directory domain controllers RPC services

4.9.7. File Replication service

4.9.8. Inter-site Messaging service

4.9.9. Windows DNS server

4.9.10. Exchange RPC services

4.9.11. Exchange RPC services in an Active Directory domain

4.10. Other RPC services

4.10.1. RPC locator service

4.10.2. DNS Client service - Windows 2000

4.10.3. DNS Client service - Windows XP and Windows Server 2003

4.10.4. DHCP Client service

4.10.5. EFS

4.10.6. Cryptographic Services service

4.10.7. Security Configuration Editor Engine

4.10.8. Windows Time service

4.10.9. Windows Audio service

4.10.10. Certificate services

4.10.11. DHCP Server service

4.10.12. Terminal Server service

4.10.13. License Logging service

4.10.14. Secondary Logon service

4.10.15. Protected storage service

4.10.16. Telephony service

4.10.17. Routing and Remote Access service

4.10.18. IPsec Policy Agent service - Windows 2000

4.10.19. IPsec Services service - Windows XP and Windows Server 2003

4.10.20. Distributed Link Tracking Client service

4.10.21. Distributed Link Tracking Server service

4.10.22. WebClient service

4.10.23. Windows File Protection

4.10.24. System Event Notification service

4.10.25. Wireless Configuration service

4.10.26. Winlogon process - Windows 2000

4.10.27. Winlogon process - Windows Server 2003

4.10.28. Application Management service

4.10.29. Microsoft SQL Server

4.11. Implication of multiple RPC services in one process

4.11.1. Win32 services hosting

4.11.2. Example of multiple RPC services in one process

4.11.3. Implications of running multiple RPC services in one process

4.12. RPC services protection

4.13. RPC interfaces restriction in Windows XP SP2 and Windows Server 2003 SP1

4.14. DCOM

4.14.1. COM interfaces

5. Conclusion

Bibliography

List of Tables

4.1. Named pipes used by DCE RPC servers

4.2. lsarpc operations

4.3. dssetup operations

4.4. samr operations

4.5. netlogon operations

4.6. browser operations

4.7. eventlog operations

4.8. netdfs operations

4.9. srvsvc operations

4.10. svcctl operations

4.11. winreg operations

4.12. wkssvc operations

4.13. pnp operations

4.14. epmp operations

4.15. localepmp operations

4.16. DbgIdl operations

4.17. IActivation operations

4.18. IOXIDResolver operations

4.19. ILocalObjectExporter operations

4.20. ISCM operations

4.21. IROT operations

4.22. IMachineActivatorControl operations

4.23. ISCMActivator operations

4.24. IRemoteSCMActivator operations

4.25. msgsvc operations

4.26. msgsvcsend operation

4.27. atsvc operations

4.28. sasec operations

4.29. idletask operations

4.30. winsif operations

4.31. winsi2 operations

4.32. inetinfo operations

4.33. iis_smtp operations

4.34. iis_nntp operations

4.35. iis_imap operations

4.36. iis_pop operations

4.37. qmcomm operations

4.38. qmcomm2 operations

4.39. qm2qm operations

4.40. qmrepl operations

4.41. qmmgmt operations

4.42. IXnRemote operations

4.43. drsuapi operations

4.44. JetBack operations

4.45. JetRest operations

4.46. dsrole operations

4.47. dsaop operations

4.48. FrsRpc operations

4.49. NtFrsApi operations

4.50. PerfFrs operations

4.51. ismapi operations

4.52. ismserv_ip operations

4.53. DnsServer operations

4.54. exchange_mapi operations

4.55. exchange_rfr operations

4.56. rxds operations

4.57. nspi operations

4.58. NsiS operations

4.59. NsiC operations

4.60. NsiM operations

4.61. dnsrslvr operations

4.62. DnsResolver operations

4.63. RpcSrvDHCPC operations

4.64. efsrpc operations

4.65. IKeySvc operations

4.66. ICertProtect operations

4.67. ICatDBSvc operations

4.68. SceSvc operations

4.69. w32time operations

4.70. AudioSrv operations

4.71. ICertPassage operations

4.72. dhcpsrv operations

4.73. dhcpsrv2 operations

4.74. lcrpc operations

4.75. winstation_rpc operations

4.76. lls_license operations

4.77. llsrpc operations

4.78. ISeclogon operations

4.79. IPStoreProv operations

4.80. ICryptProtect operations

4.81. PasswordRecovery operations

4.82. BackupKey operations

4.83. tapsrv operations

4.84. rras operations

4.85. PolicyAgent operations

4.86. winipsec operations

4.87. trkwks operations

4.88. trksvr operations

4.89. davclntrpc operations

4.90. sfcapi operations

4.91. SensApi operations

4.92. SENSNotify operations

4.93. winwzc operations

4.94. InitShutdown operations

4.95. pmapapi operations

4.96. GetUserToken operations

4.97. IUserProfile operations

4.98. IProfileDialog operations

4.99. IRPCSCLogon operations

4.100. appmgmt operations

4.101. RPCnetlib operations

4.102. IOrCallback operations