Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, March 16, 2013

event ID 6033 -LSA policy

An anonymous session connected from LOCALMACHINENAME has attempted to
open an LSA policy handle on this machine. The attempt was rejected
with STATUS_ACCESS_DENIED to prevent leaking security sensitive
information to the anonymous caller.
The application that made this attempt needs to be fixed.  Please
contact the application vendor. As a temporary workaround, this
security measure can be disabled by setting the
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr  ol\Lsa\TurnOffAnonymousBlock
DWORD value to 1.
http://support.microsoft.com/kb/839569
http://www.antionline.com/showthread.php?249223-LSA-Policy-Windows-2003-Server
The LSA (Local Security Authority) stores alot of information known as 'LSA secrets' which include usernames,trust releationships,RAS information and tons of other stuff. There is a program called LSADUMP2 that can be run to dump these secrets but I believe this requires physical access and probably admin rights as well, however the log indicates to me someone tried to query an LSA policy object from your machine using an anonymous session which on a vulnerable NT machine could be used to dislose user account names but since you are using W2k3 I wouldnt worry about it, most likely an automated scanner looking for old NT boxes.
 I would however worry about getting a firewall.

No comments: