Yes, that's right. Forget all the patches for RPC buffer overflows, there is a KB article which describes the ports used by IIS which states:
“The RPC port is directly bound to the network adapter, and can
therefore be directly accessed through Telnet. However, because RPC
ports are secure, any requests that are sent are rejected with a “Bad
Request” error message.”
Why didn't they just have it respond “Bad Request” to the buffer overflows? Maybe they didn't listen?