LSA Export block ok ?

Discussion in 'Trojan Defence Suite' started by Rainwalker, Sep 28, 2003.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Greetings,
    I have Port 500 incoming blocked and whenever i download TDS Update my FW informs me that it has blocked LSA Export Shell/ Isass.exe A UDP connection to www.zeylstra.nl i still seem to get the updated download. Should i allow traffic both ways with Port 500 or can i leave it as it is and if so what was the Port 500 activity all about o_O
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Rainwalker, if you want your Radius update you better allow that traffic if that is the one on top in your update.cfg :)
    Didn't pay attention to which port was used on my system for the update; can imagine you are suspicious for that port.
    Can imagine there should be some traffic --> you ask for update <-- radius checks what you have and if your key is ok maybe more --> ok, this is my system's data <-- ok, here is the update <-- update completed, have fun with it! --> thanks and close connection.
    Somewhere the firewall seems to be in your story.

    I wonder what isass.ee has to do in the story: does PE tell you which activities are on that application, did you ever put that one under socket spy to look into data packets/ senders/ whatever details you can read from that?
     
  3. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    The Local Security Authority or LSA is a key component of the logon process in all Windows NT versions. The LSA is responsible for validating users for both local and remote logons. The LSA also maintains the local security policy.

    I think Windows considers the updater a remote logon and listens on port 500 if any verification is needed.
     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks for getting back Jooske and StAnger

    So am i understanding this correctly: it will be ok to allow traffic in both directions on Port 500 (this port does concern me) because that is the port used by LSA Shell / Isass.exe and nasties should be caught by me FW? Again, i SEEM to be getting the updates. Maybe it is just a good idea in general to allow UDP traffic across Port 500 to enable LSA to funtion properly. Any ideas :doubt:

    TIA
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi Rainwalker,
    would you please try to update from an other mirror than the one you mentioned (URL belongs to us) and see if this happens again?
    I want to know if this is something related just to our server, because we have some services running which require a login.
    thanks,
    Dolf
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hello Dollefie..... sure but where do i find mirrors?
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    In your tds directory you'll find a file named update.cfg. If you open this file with notepad you can change the order of the mirrors to be used.
    Dolf
     
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks..... will try tomorow as i am already updated.
    Are you saying that i should not have received an update from you because of password protection?
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    No, you should get your update alright, but we have some other services running. ;)
    But if you want to connect for example to http://www.zeylstra.nl/tds you'll get a 403 error message (forbidden), you are only allowed to connect to http://www.zeylstra.nl/tds/radius.td3 and that is what your update program is doing...
    Dolf
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Think Port Explorer Socket Spy can do a great task here!
    You should put both the update.exe and isass.exe under spy and see what happens; in the spy packets you should be able to read some parts of the process.
     
Thread Status:
Not open for further replies.