[dba-Tech] Firewall alert - lsass.exe

John Bartow john at winhaven.net
Mon Dec 15 09:40:41 CST 2003 

Thanks Ralph, I'm still digesting all of this :o)

> -----Original Message-----
> From: dba-tech-bounces at databaseadvisors.com
> [mailto:dba-tech-bounces at databaseadvisors.com]On Behalf Of Ralph Bryce
> Sent: Sunday, December 14, 2003 6:49 AM
> To: Discussion of Hardware and Software issues
> Subject: RE: [dba-Tech] Firewall alert - lsass.exe
>
>
> John
>
> At 15:50 13/12/2003, you wrote:
>
> >But I wanted to know is what specific functions it performed that someone
> >could be attempting to use it to break into my computer.
> >
> >So by "local" security authentication server does it mean that it is used
> >only for my internal network or does it have some bearing on internet
> >communications also? Just thinking that my firewall should be completely
> >masking any internal functions and if it isn't used by internet
> >communications I have a hole. I have a dialup connection to the internet.
>
> I'm no expert, but I think it refers to the local machine — here's a bit
> more on the subject...
>
> LSASS.EXE is the Local Security Administration Subsystem and it
> does a lot
> more.
> As the Local Security Authority component of the Windows NT
> Security Subsystem,
> it handles all aspects of security administration on the local computer,
> including access and permissions, and also works with the domain
> controllers for validation when and if needed.
>
> Validation in Windows is performed by a protected subsystem called the
> Local Security Authority (LSA)
> which maintains information about all aspects of local operating system
> security.
> In addition to providing interactive user authentication services, the LSA
> does the following:
> * Manages local security policy.
> * Manages audit policy and settings.
> * Generates tokens that contain user and group information as well as
> information about the security permissions for the user.
> The LSA validates your identity based on which entity issued your account.
> If it was issued by:
> * LSA. The LSA can validate your information by checking its own
> Security Accounts Manager (SAM) database. Any workstation or member server
> can store local user accounts and information about local groups. However,
> these accounts can only be used for accessing that workstation or
> computer.
> * Security authority for the local domain
> </technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true>
>  or for a
> trusted domain. The LSA contacts the entity that issued your account and
> asks it to verify that the account is valid and that you are the account
> holder.
>
>
>  From KB Article 308356:
>
> The Lsass.exe process is responsible for management of local security
> authority domain authentication and Active Directory management.
> This process handles authentication for both the client and the
> server, and
> it also governs the Active Directory engine.
> The Lsass.exe process is responsible for the following components:
> Local Security Authority
> Net Logon service
> Security Accounts Manager service
> LSA Server service
> Secure Sockets Layer (SSL)
> Kerberos v5 authentication protocol
> NTLM authentication protocol
>
> Hope this is of some help. Perhaps someone more knowledgeable
> might chip in...
>
> Regards,
>
> Ralph Bryce
>
>
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>

More information about the dba-Tech mailing list