Firewall – How to configure Windows Firewall to permit MSRPC

I am trying to configure endpoint machines with a firewall that only allows white-listed traffic, and all other connections are blocked.

The client machines are desktops and laptops running Windows 7 (both x86 and x64) using the built-in Windows Firewall with Advanced Security. Every machine is part of a Windows Server 2008 domain, and I am configuring the firewall using Group Policy. I am testing this firewall configuration with a small subset of machines.

Right now, I have Windows Firewall configured to block all inbound and outbound traffic that doesn't match an explicit allow rule. Here are the basic communications that are currently enabled:

• DNS (UDP 53 Out)
• LDAP (TCP 389 Out, UDP 389 Out)
• Remote Desktop (TCP 3389 Out)
• Web Browsing (TCP 80 Out)
• Preset: Core Networking
• Preset: Distributed Transaction Coordinator
• Preset: File and Printer Sharing
• Preset: Network Discovery
• Preset: Remote Assistance

In addition, I have a few rules defined for the business applications we use. This has been working fairly well, but today I encountered some problems with MSRPC (Microsoft Remote Procedure Call).

I open mmc.exe and load the computer management snap-in in order to modify the local administrators group. In the "Select Users, Computers…" window I enter the username, then click "Check Names". It gives me the following error:

Windows cannot process the object with the name "Foo Bar" because of the following error:

Access is denied.

When I remove the firewall restrictions, it works fine. The traffic being blocked is MSRPC, and it uses a randomly selected port in the range of [49100…65535].

How can I create a rule for Windows Firewall that allows MSRPC traffic without creating an overly broad rule, such as allowing TCP traffic on all ports?