Windows Firewall blocking LSASS, causing DCOM launch error
- From: "Paul Baker [MVP, Windows Desktop Experience]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
- Date: Thu, 1 May 2008 13:29:13 -0400
I am having a problem with several Windows Server 2003 SP1 servers on our
domain that have the Windows Firewall service running, but Windows Firewall
configured "off" (by domain policy). I turned on ALL auditing (since I don't
know what I am looking for!) and see that Windows Firewall is blocking LSASS
listening on a UDP port soon after a reboot. Oddly, nothing is logged in
C:\Windows\pfirewall.log. It seems to be a random port number. Below are
three example Event Log entries.
When I try to create a remote out of process DCOM object and the server is
one of the affected servers, it fails to launch the process (DCOM Server
Process Launcher cannot communicate with LSASS?) and I immediately get an
E_ACCESSDENIED error returned. If I disable the Windows Firewall service and
reboot, the problem does not occur. What is going on here? Thanks,
Paul
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:55:53 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1100
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1092
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1088
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
.
- Follow-Ups:
- RE: Windows Firewall blocking LSASS, causing DCOM launch error
- From: "Jeffrey Tan[MSFT]"
- RE: Windows Firewall blocking LSASS, causing DCOM launch error
- Prev by Date: Re: Display security descriptor
- Next by Date: Non-interactive process launched by DCOM does not have network access
- Previous by thread: Display security descriptor
- Next by thread: RE: Windows Firewall blocking LSASS, causing DCOM launch error
- Index(es):
Relevant Pages
|
