LSA Policy??? Windows 2003 Server
Results 1 to 7 of 7

Thread: LSA Policy??? Windows 2003 Server

  1. #1
    Junior Member
    Join Date
    Sep 2003
    Posts
    13

    LSA Policy??? Windows 2003 Server

    I got this in my 'system' event viewer--Windows 2003 Server

    Event ID: 6033
    Event Source: LsaSrv
    Event Type: Error
    Event Description: An anonymous session connected from "LOCAL_COMPUTERNAME" has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
    The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
    This message will be logged at most once a day


    Where LOCAL_COMPUTERNAME is his IP address ( it was an ISP in Italy ).
    Anyone know anything about this??
    I looked in my web logs and there was nothing, I assume he didn't get in over port 80..

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Do you have a firewall in place? If so, do those logs show anything else? If not, why?

    Cheers:
    DjM

  3. #3
    Junior Member
    Join Date
    Sep 2003
    Posts
    13
    No firewall running, just ordered a cheap discontinued webramp 700s off ebay..
    I just ran nmap against my computer, there's more open ports than there were open holes in the french trenches during world war 1.

  4. #4
    Junior Member
    Join Date
    Sep 2003
    Posts
    13
    I'm actually running a small hosting company, leasing out dedicated windows 2003 servers
    as well as running shared boxes as well
    i don't have a firewall in front because i'm not sure what the clients will be doing
    should i put the firewall in front of the shared boxes and not the dedicated?

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    By the looks of it, your 'friend' in Italy is trying to exploit the LSA service, there are quite a few vulnerabilities for the LSA service, just ask google. The good news, it looks like it was blocked, but you have to ask yourself, what else did he/she try and was that also blocked?

    Man, if I were you, I'd look into installing a Firewall, if you get hacked, what do you think your clients will think then.

    Cheers:
    DjM

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If you didn't put a firewall in place because you didn't know what the customers would be doing I'm going to guess that you aren't conversant with firewall management and the opening and closing of ports to allow your clients to do what they need to do.

    That being the case you either need to:-

    1. Hire someone who is competent at firewall administration and let them do it, or
    2. Find a different business to be in.

    Your customers are putting a trust in you - perhaps the biggest trust they can, their reputation as a business. For you to be so cavalier with their trust is inexcusable. Firewall all the boxes immediately. There is no telling the amount of damage that has already been done.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    The LSA (Local Security Authority) stores alot of information known as 'LSA secrets' which include usernames,trust releationships,RAS information and tons of other stuff. There is a program called LSADUMP2 that can be run to dump these secrets but I believe this requires physical access and probably admin rights as well, however the log indicates to me someone tried to query an LSA policy object from your machine using an anonymous session which on a vulnerable NT machine could be used to dislose user account names but since you are using W2k3 I wouldnt worry about it, most likely an automated scanner looking for old NT boxes.

    -Maestr0

    I would however worry about getting a firewall.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •