Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: new IIS worm? (rcp lsass.exe)

From: "Bellenger, Bruno (Paris)" <BelleBru () exchange fr ml com>
Date: Mon, 23 Sep 2002 19:50:00 +0200

Secure Storage ? 
Did you mean 'Protected' Storage, more in line with the MS lexicon ? 
Then this is the task of PSTORES.EXE, not of LSASS.EXE

The original LSASS.EXE is in fact the Local Security Administration
Subsystem and it does a lot more. As the Local Security Authority component
of the Windows NT Security Subsystem, it handles all aspects of security
administration on the local computer, including access and permissions, and
also works with the domain controllers for validation when and if needed. 

To quote Microsoft : (see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/winxppro/reskit/prdp_log_tota.asp) 


Validation in Windows is performed by a protected subsystem called the Local
Security Authority (LSA)
</technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true> , which
maintains information about all aspects of local operating system security.
In addition to providing interactive user authentication services, the LSA
does the following:
*       Manages local security policy. 
*       Manages audit policy and settings. 
*       Generates tokens that contain user and group information as well as
information about the security permissions for the user.
The LSA validates your identity based on which entity issued your account.
If it was issued by:
*       LSA. The LSA can validate your information by checking its own
Security Accounts Manager (SAM) database. Any workstation or member server
can store local user accounts and information about local groups. However,
these accounts can only be used for accessing that workstation or computer. 
*       Security authority for the local domain
</technet/prodtechnol/winxppro/reskit/gloss_rk_pro.asp?frame=true>  or for a
trusted domain. The LSA contacts the entity that issued your account and
asks it to verify that the account is valid and that you are the account
holder.


More detailed information on the Local Security Authority (LSA) at : 
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dsbg_dat_doz
q.htm 

_____________________________________________
Bruno Bellenger
Sr. Network/Systems Administrator 

        -----Original Message-----
        From:   Michael Thompson [SMTP:mike () thompsonmike co uk]
        Sent:   Monday, September 23, 2002 2:26 AM
        To:     incidents () securityfocus com
        Subject:        Re: new IIS worm? (rcp lsass.exe)

        Hello Christian,


                                (snip)


        lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is
responsable for managing secure storage in those enviroments.

        -- 
                                Best regards,
                                Michael

        http://wwww.thompsonmike.co.uk/ <http://wwww.thompsonmike.co.uk/> 
        PGP KeyID := 0x3CC985FA
          

        I just can't put it down. 


        
----------------------------------------------------------------------------
        This list is provided by the SecurityFocus ARIS analyzer service.
        For more information on this free incident handling, management 
        and tracking system please see: http://aris.securityfocus.com
<http://aris.securityfocus.com> 
        


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: