Hi, I googled and looked for this one but didn't have a good answer. Yesterday my Sygate firewall warned me that lsass.exe is being contacted by remote machine through port 500 (IPSEC Key Management). My question is: what the hell is this? I know there's a service for Oakley servers and blah blah, but this answer hardly satisfies me... What is the meaning of the remote attempt (which I block)? Does anyone have anything to tell me about lsass and Ipsec? Thanks guys, Mrk
Unless you have a VPN (Virtual Private Network) this wouldn't apply to you. See: VPN Port 500 udp port 500 scans Lsass (Local Security Authority Service) is the system process that handles local security and login policies. In the early days of Win2000 there was a UDP DoS exploit via port 500. From some notes: ------------------------------------------ For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box. ------------------------------------------ If you post your firewall log entry, someone might be able to tell more about it. Meanwhile, your firewall is doing its job. regards, -rich ________________ ~~Be ALERT!!! ~~
Hi, Thanks for the info. Actually I do have a VPN connection. I connect to the internet using isp dial connection I configured. It is a vpn.... My questions are: If I permanently block lsass on this port, will my security, updates whatever be compromised? What can possibly happen is this traffic is allowed? Along these lines, thanks in advance. Mrk P.S. Forgot to add: I use vpn but for non-encrypted protocols, so I guess this is probably some kid scanning ip ranges and my firewall is alerting me ....? I checked the firewall on grc and sygate it's fully stealthed. Should I kill this inbound permanently?