[dba-Tech] Firewall alert - lsass.exe

Ralph Bryce ralph at inweb.co.uk
Sun Dec 14 06:49:24 CST 2003 

John

At 15:50 13/12/2003, you wrote:

>But I wanted to know is what specific functions it performed that someone
>could be attempting to use it to break into my computer.
>
>So by "local" security authentication server does it mean that it is used
>only for my internal network or does it have some bearing on internet
>communications also? Just thinking that my firewall should be completely
>masking any internal functions and if it isn't used by internet
>communications I have a hole. I have a dialup connection to the internet.

I'm no expert, but I think it refers to the local machine — here's a bit 
more on the subject...

LSASS.EXE is the Local Security Administration Subsystem and it does a lot 
more.
As the Local Security Authority component of the Windows NT Security Subsystem,
it handles all aspects of security administration on the local computer,
including access and permissions, and also works with the domain 
controllers for validation when and if needed.

Validation in Windows is performed by a protected subsystem called the 
Local Security Authority (LSA)
which maintains information about all aspects of local operating system 
security.
In addition to providing interactive user authentication services, the LSA
does the following:
* Manages local security policy.
* Manages audit policy and settings.
* Generates tokens that contain user and group information as well as
information about the security permissions for the user.
The LSA validates your identity based on which entity issued your account.
If it was issued by:
* LSA. The LSA can validate your information by checking its own
Security Accounts Manager (SAM) database. Any workstation or member server
can store local user accounts and information about local groups. However,
these accounts can only be used for accessing that workstation or computer.
* Security authority for the local domain
</technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true> or for a
trusted domain. The LSA contacts the entity that issued your account and
asks it to verify that the account is valid and that you are the account
holder.


 From KB Article 308356:

The Lsass.exe process is responsible for management of local security 
authority domain authentication and Active Directory management.
This process handles authentication for both the client and the server, and 
it also governs the Active Directory engine.
The Lsass.exe process is responsible for the following components:
Local Security Authority
Net Logon service
Security Accounts Manager service
LSA Server service
Secure Sockets Layer (SSL)
Kerberos v5 authentication protocol
NTLM authentication protocol

Hope this is of some help. Perhaps someone more knowledgeable might chip in...

Regards,

Ralph Bryce

More information about the dba-Tech mailing list