Firewall Rules created for lsass

NAV2008

Windows Vista Home premium 32 bit

DSL box wiyh no "router"

 

Upon reboot today, I noticed this in my history log:

Firwall rules were automatically created for lsass

Status BLOCKED

All Local Network Adapters

inbound TCP

 

Now I do not have a home network, just one desktop

I DO NOT have "trust local network" checked in my aut protect options rules

 

Under program rules

lsass is set at "auto"

 

so does this block message mean something is NOT secure?

 

 

For info Calls:

 

"The process lsass.exe is the Local Security Authentication Server. It is a safe file from Microsoft. Lsass.exe is responsible for security policy enforcement within the operating system, verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

Whenever a user tries to access the computer, lsass checks if the user's identification is valid or not. The system uses lsass.exe to prevent unwanted users from accessing any private information. Also the file lsass handles user password modifications. If authentication is successful, lsass generates the user's access token, which is used to launch the initial shell. This token includes the file's security descriptor, which contains the necessary information to process user authentication.

Forcible termination of lsass.exe will result in the Welcome screen losing its accounts and you will be prompted to restart your computer."

Thanks Del

with more clarity- here is the entry in the History

 

Program-   lsass.exe

Program path-   C:\Windows\System32\lsass.exe

Default Action-    Allow

Action Taken-  BLOCK

Local Computer- All local network adapters

Traffic Description-  inbound TCP (and then a port number)

 

Under

Norton AutoProtect

Internet worm protection

Program Controls

lsass.exe  it set to auto.

 

 Now I'm not worried if the lsass.exe is a "malicious file" I know that it is not

 

But  does this notification it mean the process blocked something that could not be authenticated?

 

Now sometimes on reboot  will say "this one time was user permitted" and sometimes it says "this one time user blocked". Then sometimes on reboot there isn't even a message at all

 

 

 

so does the "block" aspect mean that lsass.exe is blocking something?

Or that lsass.exe is BEING blocked from performing its duties?

I just want to make sure the setting is right and that lsass.exe is being allowed to function correctly

 

 

No remember I have just one PC, with a printer and a DSL box(non-router type)

 

 

example- I just rebooted now, so I get this message

 

This one time, user has chosen to "block " communications

Local address: All local network adapters (49155)

Process name: C:\Windows\System32\lsass.exe

 

so did lsass.exe get blocked from doing it's job?

 

 

Even with the Windows firewall only, you get a message in the event viewer upon boot that "Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network", and this application is the lsass service.

 

"If the process now appears (and did not in step 9), then it is most likely a system process, and the event does not indicate an error condition. For example, the LSASS.exe process is a common entry. You can ignore this event if it is generated by a system, non-interactive service such as LSASS.exe."

 

http://technet.microsoft.com/en-us/library/cc733407%28WS.10%29.aspx

 

So, even the Windows firewall blocks this Windows service when booting... so nothing to worry about.

Thanks Bombastus

 

But I'm using the little inbound firewall that comes with NAV2008 and NOT the windows firewall

 

Saslo I'm not sure how what you wrote explains the Norton message

This one time, the user has chosen to block communications

and that local adapters were involved.

 

 

Again I'm concerned if this message is saying that I have done something to keep lsass.exe from doing it's authenticating job by blocking the process?

 

 and as I said on some reboots the mesage says it allowed communication. And on other reboots no message at all

 

Sorry to be so stupid everyone. Maybe I'm not understabnding what "local adapters" mean in this specific regard. As I said I have no home network, so are the "local adapters" what connects my computer to yhe internet? To my DSL box?

Since you built a rule blocking that port, lsasse is advising you that all connections are blocked on that port.  So lsasse may be permitted automatically, but I think that rule over-rides all others since it is at the top.  It is possible that lsasse will not be able to connect either out-bound or authenticate any inbound connections, but since nothing is going wrong, and since you built the rule because of another concern, it doesn't seem to hurt anything.  If you continue to fool around with firewall rules, however, you may find yourself unable to connect at all.  I thought you agreed to stop reading your firewall log. :smileywink:

Thansk Del- Yes I was going to STOP looking at firewall logs, etc. But alas, I looked anyway. So now I have this ruminating issue.

 

You reported that I created a firewall rule to block the port involved with lsass.exe.  But I did NOT. The port block rule I recently created was for port 49152 not port 49155. So the rule I created should not be involved with the issue I have here.

 

I booted up this morning and again under

Log viewer

  Internet Worm Protection activity

        Alerts

 

"this one time, user has chosen to "block" communications

Local address: all local network adapters(49155)

Process name is C:\Windows\System32\lsass.exe

 

Again I'm trying to find out what specifically this "blocking" means

 

1. Does it mean that lsass.exe blocked something that could not be authenticated? Or does it mean that the authenticating function of lsass.exe was blocked from doing its job?

 

2.Shouldn't it be concerning if lsass.exe was not able to carry out its function?

 

3.Also does this whole lsass.exe function thing just happen during boot up?

 

4. The program controls show lsass.exe set to auto, should Ichange that to always allow?

 

Under NAV settings, i DO NOT have the "trust local networks" box checked, so I don't know what this may have, if anything, to do with it. Should I run any netstat report to get clarifying information?

 

 


Calls wrote:

Thanks Bombastus

 

But I'm using the little inbound firewall that comes with NAV2008 and NOT the windows firewall

 


 

 

I understand that, but the point is, do you think inbound connections for lsass would be blocked by default during boot if that meant your " Does it mean that lsass.exe blocked something that could not be authenticated? Or does it mean that the authenticating function of lsass.exe was blocked from doing its job"?

 

And another firewall doing the same thing won't either.

Thanks Bombast- But I’m afraid I’m still somewhat confused. So are you saying that lsass.exe would not be blocked from performing its functions during boot up? But then what accounts for the message? This one time, user has chosen to “block” communications Local Address: All local network adapters(49155) Process name: C:\Windows\System32\lsass.exe Or is that message saying that lsass.exe during the authenticationg process is blocking local network adapters? That lsass.exe for some reason is blocking the adapters I just want to make sure that lsass.exe is functioning in the way it is supposed to and that something doesn’t “sneak” by the authenticating process. I know I sound stupid, but for those who are willing, please continue to help me try to understand this. Much Thanks

That was explained in the link; when it is blocked like this during boot "..-it is most likely a system process, and the event does not indicate an error condition. For example, the LSASS.exe process is a common entry. You can ignore this event if it is generated by a system, non-interactive service such as LSASS.exe."

Hopefully, this will help provide some information, or at least give you a place to clarify information.

 

https://forums.comodo.com/help-for-v3/settings-t23228.0.html;prev_next=next

Delphinium and Bombast- Thanks for the links. I read them. However, I'm still not clear on the issue regarding my original question. I know I'm not very bright when it comes to computers

And I know that lsass.exe is a windows file and not a Norton item, but I posted the question here because it is the Norton log information that I am trying to understand.

 

I know that lsass.exe serves the function to authenticate user log ons. So that is why I am concerned that my activity log gives the message

This one time, user has chosen to "block" communications

Local address: All local network adapters(49155)

process name: C:\Windows\System32\lsass.exe

 

maybe if I break this message down-

1. the blocked communication is what?

2. All local network adapters, is that internal to my machine ( parts of my machine communicating to each other)?Or is it my machine connecting to the ISP/internet?

3. Are the connections that are referenced, internal between parts of my machine (like me loggong onto my computer) or out to the internet or the DSL box.

 

 

And again, I think the biggest part I'm stuck at is, according to the message, was lsass.exe blocked from checking the authentication of the network adpters?

4. So that unauthenticated connections were made made (was someone else trying to log in on my computer at start up?)

 

 

and again, in the Norton settings I had unchecked "trust local network" about 9-12 months ago. Could that have something to do with it?

 

I just want to make sure that the message is not saying connections were made that were not authenticated, and therefore malicious connections.

1.  Your machine is talking to itself

2.  If you block a port that it needs, it will move to another port

3.  Any incoming use of these ports from outside your system will be blocked

4.  If it is blocked, yes, it means you are protected.

5. I spent about an hour an a half looking this stuff up yesterday which you could easily have done yourself.  It is not a Norton question simply because it is in your logs.  In this case it is a Microsoft question.  These ports are listened to in all Vista and Win 7 machines.  If you have any further questions, direct them to the Microsoft forum.

Del, make no mistake,  I really appreciate your feedback

So if I am understanding correctly, the message I have been getting

 

This one time, user has chosen to "block" communications

all local adapters

C:\Windows\System32\lsass.exe

 

So ut is just an intrrnal thing as part of starting up the computer and logging on?

It really doesn't mean anything as far as internet security and the internet malicious intrusion?

 

What about that sometimes the meassage says

this one time, user has chosen to "allow" communication

all local network adapters

C:\Windows\System32\lsass.exe

 

is that "allow" message dangerous?

 

so in a nutshell, it has nothing to do with security and the internet or intrusion attempts, etc?

 


Calls wrote:

Del, make no mistake,  I really appreciate your feedback

So if I am understanding correctly, the message I have been getting

 

This one time, user has chosen to "block" communications

all local adapters

C:\Windows\System32\lsass.exe

 

So ut is just an intrrnal thing as part of starting up the computer and logging on?

It really doesn't mean anything as far as internet security and the internet malicious intrusion?

 

What about that sometimes the meassage says

this one time, user has chosen to "allow" communication

all local network adapters

C:\Windows\System32\lsass.exe

 

is that "allow" message dangerous?

 

so in a nutshell, it has nothing to do with security and the internet or intrusion attempts, etc?


 

 

These are startup events and have nothing to do with outside machines. They are simply saying that lsass.exe is being allowed to, or blocked from, listen for outside connections. Even though it may be allowed to listen, the actual connection event will also be evaluated and possibly be blocked at that time.

 

I'm not sure why you had a block one time and an allow another. My guess is that you got the block first because something had changed on your system and NAV (2008) didn't have enough information about lsass.exe to trust it but latter it did. Again, this is also just allowing lsass.exe to listen for external connections, it's not allowing the connections themselves.

thank you Reese ( and everyone else for thier input)

 

I think I am starting to understand this and how it relates to the Norton Activity log

 

A few pieces of information that I need to add

I use DSL, so once I start my computer, it begins to access the internet after several thing (like Norton) load.

 

1. Given that I automatically connect to the interent as part of the start up process,  the "This one time, user has chosen to block....." message, does that cause any  alarm or concern  (since the internet is involved )?

 

2. As I said awhile ago ( maybe 9 months) under Norton setting, I had UNCHECKED "trust local network settings"

    Could this be causing the "block" communication issue?

 

3. As far as the message "This one time, user has chosen to block communication..." itself, Like when it is logged say at 6:45am, does it mean that at 6:45 am it was blocked, but that after that it was allowed to communicate? Or would that have to create another log entry?

Also as I said sometimes at boot up, I will get the "blocked" communication message. Then maybe  the next 2 times (maybe a few days later) I boot up, no message at all. Then maybe the next  time I boot up after that, I get a "permit" message

 

Thanks again. I think I'm starting to understand this. Almost there

PLEASE BE PATIENT with me

 

 

 

 

 


Calls wrote:

thank you Reese ( and everyone else for thier input)

 

I think I am starting to understand this and how it relates to the Norton Activity log

 

A few pieces of information that I need to add

I use DSL, so once I start my computer, it begins to access the internet after several thing (like Norton) load.

 

1. Given that I automatically connect to the interent as part of the start up process,  the "This one time, user has chosen to block....." message, does that cause any  alarm or concern  (since the internet is involved )?

RA> As mentioned to you previously, NAV will notify you directly if there is anything to be alarmed or concerned about. These log entries are merely for forensic purposes should only be used if you are actively observing issues such as loss of network connectivity.

 

2. As I said awhile ago ( maybe 9 months) under Norton setting, I had UNCHECKED "trust local network settings"

    Could this be causing the "block" communication issue?

RA> As I just indicated, this message has nothing to do with actual network traffic and therefore has nothing to do with local network settings.

 

3. As far as the message "This one time, user has chosen to block communication..." itself, Like when it is logged say at 6:45am, does it mean that at 6:45 am it was blocked, but that after that it was allowed to communicate? Or would that have to create another log entry?

Also as I said sometimes at boot up, I will get the "blocked" communication message. Then maybe  the next 2 times (maybe a few days later) I boot up, no message at all. Then maybe the next  time I boot up after that, I get a "permit" message

 RA>The message means exactly what it says and nothing more. It might be allowed to communicate in the future or it might not. Whether that future communication attempt is logged or not depends upon a number of factors but you've already noted that an Allow event does show up latter and I've already discussed why this might be.

 

Thanks again. I think I'm starting to understand this. Almost there

PLEASE BE PATIENT with me

 

 

 

 


 

 

Awesome Reese    I think I'm really getting this now. Just a bit more clarity?

 

I ran some netstat results to see if these may mean anything regarding this issue

Netstat -a

 

Protocol       Local address     Foreign address      state

 TCP             0.0.0.0:49155      MY-PC:0                     listening

TCP              [ : : ]: 49155           My-PC:0                     listening

 

 

Now I have to say looking back, I think I did start noticing these alerts

this one time, user has choisen to block communication

 

after I did uncheck trust local network. I bring this up because I read via google that if you do NOT have a router, then your local network  are the computers hooked to your ISP

 

So final questions/clarity:

1. Do the netstat results above mean any thing significant regarding the issue I raised with this post?

2. So if the alert message says "allowe" or Blocked" communication to all local network adapters. does that mean that lsass.exe was allowed or not allowed to run it's authentication process?

3. These alerts mean nothing in regard to lsass.exe performing its duties of authentication and security?

4. None of this has anything to do regarding safety of my computer as far as internet security and remote access?

5. In the future I need not reboot to try to get an allow or block message?

 


Calls wrote:
[...]

So final questions/clarity:

1. Do the netstat results above mean any thing significant regarding the issue I raised with this post?

RA> The netstat results indicate that something is listening on that port.


2. So if the alert message says "allowe" or Blocked" communication to all local network adapters. does that mean that lsass.exe was allowed or not allowed to run it's authentication process?

RA> I have no idea why lsass.exe was trying to listen for connections at that time. It was either allowed to or blocked from listening for connections. No connections would've occurred from an outside machine if it was blocked and if it was allowed, any incoming connection requests would've still been validated before allowing that specific connection.


3. These alerts mean nothing in regard to lsass.exe performing its duties of authentication and security?

RA> These aren't alerts. As I said previously, I have no idea why lsass.exe was trying to listen for connection requests from other machines at that moment.


4. None of this has anything to do regarding safety of my computer as far as internet security and remote access?

RA> Since NAV is logging it, then by its very nature it has to do with Internet security. By itself, a program listening for connections is not a security issue.


5. In the future I need not reboot to try to get an allow or block message?

RA> You'll probably see it again for lsass.exe at some point -- probably after a Microsoft update when the file or one of its associates has changed and needs to be reauthenticated.