Port 593 (TCP) – RPC over HTTP (MSRPC/EPMAP)

What runs on port 593?

Port 593 is the RPC over HTTP endpoint mapper (EPMAP), part of Microsoft's DCE/RPC stack. It does the same job as TCP 135 — telling clients which dynamic port an RPC interface listens on — but tunnels the exchange over HTTP so RPC calls can cross proxies and firewalls. It is most associated with Exchange RPC Proxy and assorted Active Directory services.

Why it matters for security

RPC-over-HTTP exposes a broad set of RPC interfaces that authenticate with NTLM. That makes 593 a prime target for coercion attacks: an attacker forces a server or machine account to authenticate to a host they control, then relays that authentication to another service — LDAP, AD CS, or SMB on 445 — to escalate. Because the channel rides HTTP, it can slip through perimeter controls that would block raw 135.

How it's attacked

Attackers enumerate exposed interfaces through the endpoint mapper, then trigger PetitPotam-style coercion via MS-EFSRPC or similar to make a target authenticate outbound. The captured NTLM is relayed to AD CS or LDAP for certificate or account takeover, enabling lateral movement and domain compromise.

Hardening checklist

Keep 593 off untrusted networks and treat RPC as internal-only. Enable Extended Protection for Authentication and enforce SMB and LDAP signing to break relay chains. Patch PetitPotam, PrintNightmare, and related coercion bugs, prefer Kerberos over NTLM, and segment AD CS and tier-0 roles. Use the nmap snippet above to fingerprint RPC services on hosts you are authorized to test.