LSA Policy??? Windows 2003 Server

Printable View

November 21st, 2003, 06:00 PM
freesource

LSA Policy??? Windows 2003 Server

I got this in my 'system' event viewer--Windows 2003 Server

Event ID: 6033
Event Source: LsaSrv
Event Type: Error
Event Description: An anonymous session connected from "LOCAL_COMPUTERNAME" has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day

Where LOCAL_COMPUTERNAME is his IP address ( it was an ISP in Italy ).
Anyone know anything about this??
I looked in my web logs and there was nothing, I assume he didn't get in over port 80..
November 21st, 2003, 06:11 PM
DjM

Do you have a firewall in place? If so, do those logs show anything else? If not, why?

Cheers:
November 21st, 2003, 06:24 PM
freesource

No firewall running, just ordered a cheap discontinued webramp 700s off ebay..
I just ran nmap against my computer, there's more open ports than there were open holes in the french trenches during world war 1.
November 21st, 2003, 06:29 PM
freesource

I'm actually running a small hosting company, leasing out dedicated windows 2003 servers
as well as running shared boxes as well
i don't have a firewall in front because i'm not sure what the clients will be doing
should i put the firewall in front of the shared boxes and not the dedicated?
November 21st, 2003, 06:33 PM
DjM

By the looks of it, your 'friend' in Italy is trying to exploit the LSA service, there are quite a few vulnerabilities for the LSA service, just ask google. The good news, it looks like it was blocked, but you have to ask yourself, what else did he/she try and was that also blocked?

Man, if I were you, I'd look into installing a Firewall, if you get hacked, what do you think your clients will think then.

Cheers:
November 21st, 2003, 08:00 PM
Tiger Shark

If you didn't put a firewall in place because you didn't know what the customers would be doing I'm going to guess that you aren't conversant with firewall management and the opening and closing of ports to allow your clients to do what they need to do.

That being the case you either need to:-

1. Hire someone who is competent at firewall administration and let them do it, or
2. Find a different business to be in.

Your customers are putting a trust in you - perhaps the biggest trust they can, their reputation as a business. For you to be so cavalier with their trust is inexcusable. Firewall all the boxes immediately. There is no telling the amount of damage that has already been done.
November 21st, 2003, 08:27 PM
Maestr0

The LSA (Local Security Authority) stores alot of information known as 'LSA secrets' which include usernames,trust releationships,RAS information and tons of other stuff. There is a program called LSADUMP2 that can be run to dump these secrets but I believe this requires physical access and probably admin rights as well, however the log indicates to me someone tried to query an LSA policy object from your machine using an anonymous session which on a vulnerable NT machine could be used to dislose user account names but since you are using W2k3 I wouldnt worry about it, most likely an automated scanner looking for old NT boxes.

-Maestr0

I would however worry about getting a firewall. :)