Why is LSA Shell (export Version) going out to the internet to unrecognized ip addresses?

Posted on 2006-05-24
Last Modified: 2008-01-09
As I understand it… LSA Shell is a legitimate windows process so long as it is a valid name in a valid directory having to do with the Local Security Authority.  

C:\.WINDOWS\system32\lsass.exe is the executable and directory location and it is the only instance that is running on my computer.   I am not experiencing any problems.  I have checked for similar .exe files like isass.exe that might be hiding in another directory but have been unable to find any.  I have Spybot S&D and Adaware SE and also have Symantic corporate edition running.  I update SAV and virus scan every night and run the other programs about once a week and consistently come up clean.  I also run Zone Alarm.  

That being said why would LSA be looking to access the internet at an IP address that is not on my local network?  What business would it have looking to go out to the net?

I am running XP Pro on MS SBS 2003 at my home office and authenticate to my domain
Question by:rdilena
    LVL 23

    Expert Comment

    by:Tim Holman
    The LSA handles aspects of security administration on the local computer, including access and permissions.  If a remote user is trying to access local resources, then the LSA will get involved.  This is perfectly normal, although you might want to look at why this IP address is trying to authenticate with your machine.  Is it an Internet facing machine?

    Author Comment

    I am on an internal network SBS 2003 server that is physically separated to the internet with a second nic card behind a Linksys router  
    LVL 23

    Accepted Solution

    So any machine on the Internet that tries to connect to your SBS 2003 server will invoke the LSA API.  What ports do you have open on the Internet facing side?  I suspect you may have port 80 open, in which case, someone/something on the Internet is trying to gain evelated privileges to your machine via it's web services?  As long as your patched (use MSBA 2.0 as a guideline), then nothing to worry about.  This sort of thing would happen all the time (mostly automated bots probing for vulnerable hosts).

    Author Comment

    Thanks – I will double check for the most current patches and look at my port configuration but I believe I’m up to date.  What you have said regarding automated attempts make sense.  I’ve checked the log on Zone Alarm which gives the IP source/destination against an ARIN database and the previous attempts over the last month have come from various companies, mostly smaller ISP types and mostly in the US.    

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now