Security Incidents mailing list archives
RE: new IIS worm? (rcp lsass.exe)
From: "Bellenger, Bruno (Paris)" <BelleBru () exchange fr ml com>
Date: Mon, 23 Sep 2002 19:50:00 +0200
Secure Storage ? Did you mean 'Protected' Storage, more in line with the MS lexicon ? Then this is the task of PSTORES.EXE, not of LSASS.EXE The original LSASS.EXE is in fact the Local Security Administration Subsystem and it does a lot more. As the Local Security Authority component of the Windows NT Security Subsystem, it handles all aspects of security administration on the local computer, including access and permissions, and also works with the domain controllers for validation when and if needed. To quote Microsoft : (see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/winxppro/reskit/prdp_log_tota.asp) Validation in Windows is performed by a protected subsystem called the Local Security Authority (LSA) </technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true> , which maintains information about all aspects of local operating system security. In addition to providing interactive user authentication services, the LSA does the following: * Manages local security policy. * Manages audit policy and settings. * Generates tokens that contain user and group information as well as information about the security permissions for the user. The LSA validates your identity based on which entity issued your account. If it was issued by: * LSA. The LSA can validate your information by checking its own Security Accounts Manager (SAM) database. Any workstation or member server can store local user accounts and information about local groups. However, these accounts can only be used for accessing that workstation or computer. * Security authority for the local domain </technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true> or for a trusted domain. The LSA contacts the entity that issued your account and asks it to verify that the account is valid and that you are the account holder. More detailed information on the Local Security Authority (LSA) at : http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dsbg_dat_doz q.htm _____________________________________________ Bruno Bellenger Sr. Network/Systems Administrator -----Original Message----- From: Michael Thompson [SMTP:mike () thompsonmike co uk] Sent: Monday, September 23, 2002 2:26 AM To: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe) Hello Christian, (snip) lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is responsable for managing secure storage in those enviroments. -- Best regards, Michael http://wwww.thompsonmike.co.uk/ <http://wwww.thompsonmike.co.uk/> PGP KeyID := 0x3CC985FA I just can't put it down. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com <http://aris.securityfocus.com> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
(Thread continues...)