LSA Export block ok ?

Greetings,
I have Port 500 incoming blocked and whenever i download TDS Update my FW informs me that it has blocked LSA Export Shell/ Isass.exe A UDP connection to www.zeylstra.nl i still seem to get the updated download. Should i allow traffic both ways with Port 500 or can i leave it as it is and if so what was the Port 500 activity all about

 

Hi Rainwalker, if you want your Radius update you better allow that traffic if that is the one on top in your update.cfg
Didn't pay attention to which port was used on my system for the update; can imagine you are suspicious for that port.
Can imagine there should be some traffic --> you ask for update <-- radius checks what you have and if your key is ok maybe more --> ok, this is my system's data <-- ok, here is the update <-- update completed, have fun with it! --> thanks and close connection.
Somewhere the firewall seems to be in your story.

I wonder what isass.ee has to do in the story: does PE tell you which activities are on that application, did you ever put that one under socket spy to look into data packets/ senders/ whatever details you can read from that?

 

The Local Security Authority or LSA is a key component of the logon process in all Windows NT versions. The LSA is responsible for validating users for both local and remote logons. The LSA also maintains the local security policy.

I think Windows considers the updater a remote logon and listens on port 500 if any verification is needed.

 

Thanks for getting back Jooske and StAnger

So am i understanding this correctly: it will be ok to allow traffic in both directions on Port 500 (this port does concern me) because that is the port used by LSA Shell / Isass.exe and nasties should be caught by me FW? Again, i SEEM to be getting the updates. Maybe it is just a good idea in general to allow UDP traffic across Port 500 to enable LSA to funtion properly. Any ideas

TIA

 

Hi Rainwalker,
would you please try to update from an other mirror than the one you mentioned (URL belongs to us) and see if this happens again?
I want to know if this is something related just to our server, because we have some services running which require a login.
thanks,
Dolf

 

Hello Dollefie..... sure but where do i find mirrors?

 

In your tds directory you'll find a file named update.cfg. If you open this file with notepad you can change the order of the mirrors to be used.
Dolf

 

Thanks..... will try tomorow as i am already updated.
Are you saying that i should not have received an update from you because of password protection?

 

No, you should get your update alright, but we have some other services running.
But if you want to connect for example to http://www.zeylstra.nl/tds you'll get a 403 error message (forbidden), you are only allowed to connect to http://www.zeylstra.nl/tds/radius.td3 and that is what your update program is doing...
Dolf

 

Think Port Explorer Socket Spy can do a great task here!
You should put both the update.exe and isass.exe under spy and see what happens; in the spy packets you should be able to read some parts of the process.