Learn how to a build a cloud-first strategyRegister Now


Why is LSA Shell (export Version) going out to the internet to unrecognized ip addresses?

Posted on 2006-05-24
Medium Priority
Last Modified: 2008-01-09
As I understand it… LSA Shell is a legitimate windows process so long as it is a valid name in a valid directory having to do with the Local Security Authority.  

C:\.WINDOWS\system32\lsass.exe is the executable and directory location and it is the only instance that is running on my computer.   I am not experiencing any problems.  I have checked for similar .exe files like isass.exe that might be hiding in another directory but have been unable to find any.  I have Spybot S&D and Adaware SE and also have Symantic corporate edition running.  I update SAV and virus scan every night and run the other programs about once a week and consistently come up clean.  I also run Zone Alarm.  

That being said why would LSA be looking to access the internet at an IP address that is not on my local network?  What business would it have looking to go out to the net?

I am running XP Pro on MS SBS 2003 at my home office and authenticate to my domain
Question by:rdilena
  • 2
  • 2
LVL 23

Expert Comment

by:Tim Holman
ID: 16755162
The LSA handles aspects of security administration on the local computer, including access and permissions.  If a remote user is trying to access local resources, then the LSA will get involved.  This is perfectly normal, although you might want to look at why this IP address is trying to authenticate with your machine.  Is it an Internet facing machine?

Author Comment

ID: 16755798
I am on an internal network SBS 2003 server that is physically separated to the internet with a second nic card behind a Linksys router  
LVL 23

Accepted Solution

Tim Holman earned 2000 total points
ID: 16764837
So any machine on the Internet that tries to connect to your SBS 2003 server will invoke the LSA API.  What ports do you have open on the Internet facing side?  I suspect you may have port 80 open, in which case, someone/something on the Internet is trying to gain evelated privileges to your machine via it's web services?  As long as your patched (use MSBA 2.0 as a guideline), then nothing to worry about.  This sort of thing would happen all the time (mostly automated bots probing for vulnerable hosts).

Author Comment

ID: 16765935
Thanks – I will double check for the most current patches and look at my port configuration but I believe I’m up to date.  What you have said regarding automated attempts make sense.  I’ve checked the log on Zone Alarm which gives the IP source/destination against an ARIN database and the previous attempts over the last month have come from various companies, mostly smaller ISP types and mostly in the US.    

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question