Windows Firewall blocking LSASS, causing DCOM launch error
![Paul Baker [MVP, Windows Desktop Experience]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Paul Baker [MVP, Windows Desktop Experience]
domain that have the Windows Firewall service running, but Windows Firewall
configured "off" (by domain policy). I turned on ALL auditing (since I don't
know what I am looking for!) and see that Windows Firewall is blocking LSASS
listening on a UDP port soon after a reboot. Oddly, nothing is logged in
C:\Windows\pfirewall.log. It seems to be a random port number. Below are
three example Event Log entries.
When I try to create a remote out of process DCOM object and the server is
one of the affected servers, it fails to launch the process (DCOM Server
Process Launcher cannot communicate with LSASS?) and I immediately get an
E_ACCESSDENIED error returned. If I disable the Windows Firewall service and
reboot, the problem does not occur. What is going on here? Thanks,
Paul
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:55:53 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1100
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1092
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1088
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Jeffrey Tan[MSFT]
Does the 2003 SP1 server have more than one network adapter, even if it is
disabled? Is Routing and Remote access enabled on the server?
Have you checked your DCOM security configuration on Win2003 SP1? Win2003
SP1 introduced the new "Distributed COM Users (Built in Group)". I see one
internal similar case was resolved by adding the user into the "Distributed
COM Users" group so that the user has the "remote activation" permission.
Can you give it a try?
The article below contains more details of the default DCOM security
setting for various users and the security enhancement of Win2003 SP1:
"DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server
2003 Service Pack 1"
http://msdn.microsoft.com/en-us/library/ms679714(VS.85).aspx
I will wait for your further information. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Paul Baker [MVP, Windows Desktop Experience]
Yes, I have read about these changes in Windows Server 2003 SP1 and checked
the permissions. The user is not a member of the Distributed COM Users
group, but is a member of the Administrators group which gives them the
launch, activation and access permissions needed. I tried adding the user to
the Distributed COM Users group anyway, and it made no difference.
I think you missed the point that this is a firewall issue. If I disable the
Windows Firewall service, it works as expected.
Paul
""Jeffrey Tan[MSFT]"" <je...@online.microsoft.com> wrote in message
news:Pe6%23YNDrI...@TK2MSFTNGHUB02.phx.gbl...
Jeffrey Tan[MSFT]
Thanks for your feedback.
Yes, I just want to get confirmation about these basic settings during
scoping. Anyway, I have helped to discuss this issue with the firewall
team.
Based on their feedback, we need to enable firewall logging so that
firewall activities will be logged into pfirewall.log :
netsh firewall set logging filelocation=%windir%\pfirewall.log
droppedpackets=enable connections=enable
If you have a machine in this state, could you send me the output of the
following:
netsh firewall show state enable
netsh firewall show config
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters /s
reg query HKLM\Software\Policies\Microsoft\WindowsFirewall /s
reg query "HKLM\Software\Policies\Microsoft\Windows\Network Connections" /s
netstat -ano
Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
This posting is provided "AS IS" with no warranties, and confers no rights.
Paul Baker [MVP, Windows Desktop Experience]
I enabled pfirewall.log, as you suggested. It did not create the log file!
It is still logging in the Security event log several instances of Windows
Firewall blocking LSASS using incoming UDP ports. There are several when I
reboot and one more when I attempt to launch the DCOM server for the first
time.
I put the netsh commands you suggested in a batch file and redirected the
output to a file. Below is the output.
Thanks,
Paul
netsh firewall show state enable
Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Scope: *
Local exceptions allowed by group policy:
-------------------------------------------------------------------
Open ports = Enable
Allowed programs = Enable
Log settings:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable
Service settings:
Mode Customized Name
-------------------------------------------------------------------
Disable No File and Printer Sharing
Scope: *
Disable No UPnP Framework
Scope: *
Disable No Remote Desktop
Scope: *
Port exceptions:
Port Protocol Local policy Mode Name / Service type
-------------------------------------------------------------------
137 UDP Yes Disable NetBIOS Name Service / File and
Printer Sharing
Scope: LocalSubNet
138 UDP Yes Disable NetBIOS Datagram Service / File and
Printer Sharing
Scope: LocalSubNet
139 TCP Yes Disable NetBIOS Session Service / File and
Printer Sharing
Scope: LocalSubNet
445 TCP Yes Disable SMB over TCP / File and Printer
Sharing
Scope: LocalSubNet
1900 UDP Yes Disable SSDP Component of UPnP Framework /
UPnP Framework
Scope: LocalSubNet
2869 TCP Yes Disable UPnP Framework over TCP / UPnP
Framework
Scope: LocalSubNet
3389 TCP Yes Disable Remote Desktop / Remote Desktop
Scope: *
Ports on which programs want to receive incoming connections:
Port Protocol Version PID Type Wildcarded Forced Name / Program
-------------------------------------------------------------------
1025 UDP IPv4 1048 App Yes No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
1026 UDP IPv4 1048 App Yes No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
500 UDP IPv4 668 App No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
4500 UDP IPv4 668 App No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
161 UDP IPv4 1920 App No No (null) /
C:\WINDOWS\system32\snmp.exe
Scope: *
1040 TCP IPv4 668 RPC No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
123 UDP IPv4 1104 App No No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
135 TCP IPv4 668 RPC No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
ICMP settings for all network interfaces:
Mode Type Description
-------------------------------------------------------------------
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
Additional ICMP settings on Local Area Connection 2:
Mode Type Description
-------------------------------------------------------------------
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
Local Area Connection 2 firewall settings:
-------------------------------------------------------------------
Operational mode = Disable
Version = IPv4
GUID = {6A3F9F7A-8B59-49E7-B911-87253484DBC4}
C:\Documents and Settings\PaulB\Desktop>netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable
Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
Local Area Connection 2 firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
C:\Documents and Settings\PaulB\Desktop>reg query
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
ServiceDll REG_SZ C:\WINDOWS\system32\ipnathlp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
DisableNotifications REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
139:TCP REG_SZ 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
445:TCP REG_SZ 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
137:UDP REG_SZ 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
138:UDP REG_SZ 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall REG_DWORD 0x0
C:\Documents and Settings\PaulB\Desktop>reg query
HKLM\Software\Policies\Microsoft\WindowsFirewall /s
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall REG_DWORD 0x0
C:\Documents and Settings\PaulB\Desktop>reg query
"HKLM\Software\Policies\Microsoft\Windows\Network Connections" /s
C:\Documents and Settings\PaulB\Desktop>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 792
TCP 127.0.0.1:1051 0.0.0.0:0 LISTENING 1432
TCP 172.16.112.16:139 0.0.0.0:0 LISTENING 4
TCP 172.16.112.16:1092 172.16.112.2:2222 TIME_WAIT 0
TCP 172.16.112.16:1096 172.16.112.9:445 TIME_WAIT 0
TCP 172.16.112.16:1099 172.16.112.2:2222 TIME_WAIT 0
TCP 172.16.112.16:1100 172.16.112.7:139 ESTABLISHED 4
TCP 172.16.112.16:3389 172.16.112.81:3891 ESTABLISHED 792
UDP 0.0.0.0:161 *:* 1920
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 668
UDP 0.0.0.0:1025 *:* 1048
UDP 0.0.0.0:1026 *:* 1048
UDP 0.0.0.0:4500 *:* 668
UDP 127.0.0.1:123 *:* 1104
UDP 127.0.0.1:1027 *:* 668
UDP 127.0.0.1:1045 *:* 612
UDP 127.0.0.1:1069 *:* 1672
UDP 172.16.112.16:123 *:* 1104
UDP 172.16.112.16:137 *:* 4
UDP 172.16.112.16:138 *:* 4
Paul
""Jeffrey Tan[MSFT]"" <je...@online.microsoft.com> wrote in message
news:YwHzSmlr...@TK2MSFTNGHUB02.phx.gbl...
Paul Baker [MVP, Windows Desktop Experience]
It continues to log in the Security event log Windows Firewall blocking
LSASS using incoming UDP ports. Instances of this are logged regularly
(every few minutes, sometimes in clusters) at seemingly random intervals and
for seemingly random ports. All this when the machine is theoretically idle
waiting for me to debug it :)
pfirewall.log has still not been created.
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrich...@community.nospam> wrote in message
news:uy63dorr...@TK2MSFTNGP03.phx.gbl...
Paul Baker [MVP, Windows Desktop Experience]
Today, for some reason, it is successfully launching the server process
non-interactively on the server in question. This is despite the firewall
activity. Similarly configured servers continue to have the same problem (an
immediate E_ACCESSDENIED error). Is there something sporadic going on here?
Last week, I alternately and repeatedly disabled the Windows Firewall
service, rebooted, attempted to launch / enabled the Windows Firewall
service, rebooted, attempted to launch and found that the launch failed with
E_ACCESSDENIED if and only if the Windows Firewall service was enabled (even
though it was configured Off). Yet today, it is consistently working with
the Windows Firewall service enabled.
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrich...@community.nospam> wrote in message
news:e30HVnsr...@TK2MSFTNGP03.phx.gbl...
Jeffrey Tan[MSFT]
Sorry for the late response, I took sick leave at home yesterday.
I am not sure if I have understood you completely. Do you mean that the
problem suddenly go away mystically? I get this question because I see you
replied with "Yet today, it is consistently working with
the Windows Firewall service enabled".
Do you still need any help on this issue? If so, please feel free to tell
me, I will collaborate with the Windows firewall team to resolve this
problem. Thanks.
Paul Baker [MVP, Windows Desktop Experience]
other servers. It is still unexplained how it went away on one (I did not
change any configuration).
I need to know if Windows Firewall is supposed to be blocking LSASS on
random UDP ports, even though the firewall is Off and without logging in
pfirewall.log. And, could this explain a failure to launch? I'd hate the
resolution to be disabling the Windows Firewall service without even
understanding what the problem is.
Paul
""Jeffrey Tan[MSFT]"" <je...@online.microsoft.com> wrote in message
news:uRTFfB$rIHA...@TK2MSFTNGHUB02.phx.gbl...
Paul Baker [MVP, Windows Desktop Experience]
Up until now, I have been describing one server (let's call it "server2").
That is the one I took out of production to test. There are three other
servers as well that we are using (it would be difficult to start fiddling
with them as well, but we can observe their current behaviour easily).
Perhaps knowing their behaviour will help.
server1 - Windows Firewall disabled - E_ACCESSDENIED immediately
server2 - Windows Firewall enabled/off - works
server3 - Windows Firewall enabled/off - E_ACCESSDENIED immediately
server4 - Windows Firewall disabled - E_ACCESSDENIED immediately
The behaviour I saw with server2 seemed to tie it to whether or not Windows
Firewall was disabled. But now it is working, for some unknown reason, while
other similarly systems with Windows Firewall disabled also have a problem.
Maybe it is not Windows Firewall.
It seems what I need to know is - what things can cause an E_ACCESSDENIED
error before launching the server process when run as "The launching user"
but not run as "The interactive user"? It can't be launch permissions or
anything obvious. It's got to be something to do with an extra security
check that is done only when it is non-interactive. Can the DCOM folks help
out here?
Thanks a lot,
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrich...@community.nospam> wrote in message
news:%23yw3uSE...@TK2MSFTNGP02.phx.gbl...
Jeffrey Tan[MSFT]
Thanks for your detailed information.
Oh, it seems that this problem is very environmental production server
related which is not easy to troubleshoot. It may require intensive
troubleshooting time and even remote debugging to find out the root cause
which we seldom done in MSDN newsgroup support. We normally recommend
customer to contact Microsoft CSS for this type of complex production
server level issues.
Anyway, I will contact the Windows Firewall team and get back some
information for you. Thanks.
Paul Baker [MVP, Windows Desktop Experience]
newsgroup.
Paul
""Jeffrey Tan[MSFT]"" <je...@online.microsoft.com> wrote in message
news:1jtvQIPs...@TK2MSFTNGHUB02.phx.gbl...
Jeffrey Tan[MSFT]
Sorry for letting you wait.
I have sent your detailed log to the Windows firewall triage team twice,
but did not get any response yet. I assume they think it is too complex to
help us on this issue through email and newsgroup. Contacting Microsoft CSS
for the phone support should be a more efficient option.
You can contact Microsoft Product Support directly to discuss additional
support options you may have available, by contacting us at 1-(800)936-5800
or by choosing one of the options listed at:
http://www.microsoft.com/services/microsoftservices/srv_support.mspx
I would say think you since you are very kind to understand my position in
newsgroup support.