Jump to content

How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

Guest Charles Law

By Guest Charles Law
in Windows 2003 Server

 Share

Recommended Posts

Guest Charles Law

Guest Charles Law

Posted
Posted

How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

The following event 6033 is appearing in the event log of our server every

day. The reported IP address moves around the world and I do not recognise

any of them.

 

The server is running Windows Server 2003 x64, and the Windows firewall is

enabled. There is no hardware firewall.

 

<quote>

An anonymous session connected from <IP address> has attempted to open an

LSA policy handle on this machine. The attempt was rejected with

STATUS_ACCESS_DENIED to prevent leaking security sensitive information to

the anonymous caller.

The application that made this attempt needs to be fixed. Please contact the

application vendor. As a temporary workaround, this security measure can be

disabled by setting the

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

DWORD value to 1.

This message will be logged at most once a day.

</unquote>

 

I have Googled extensively, and all I can find are other reports of this

problem and no solutions. Microsoft have a KB article on the subject, but it

assumes that the connection is from a known location.

 

Is this an attack?

 

How can I tell which port is being used?

 

How can I tell where this is coming from?

 

How can I stop this from occurring?

 

Thanks anyone with some insight.

 

Charles

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Chris M

Guest Chris M

Posted
Posted

Re: How to Fix: Anonymous Session Connected; Attempted to Open anLSA Policy Handle. Event 6033

 

Re: How to Fix: Anonymous Session Connected; Attempted to Open anLSA Policy Handle. Event 6033

 

Charles Law wrote:

> The following event 6033 is appearing in the event log of our server every

> day. The reported IP address moves around the world and I do not recognise

> any of them.

>

> The server is running Windows Server 2003 x64, and the Windows firewall is

> enabled. There is no hardware firewall.

>

> <quote>

> An anonymous session connected from <IP address> has attempted to open an

> LSA policy handle on this machine. The attempt was rejected with

> STATUS_ACCESS_DENIED to prevent leaking security sensitive information to

> the anonymous caller.

> The application that made this attempt needs to be fixed. Please contact the

> application vendor. As a temporary workaround, this security measure can be

> disabled by setting the

> \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

> DWORD value to 1.

> This message will be logged at most once a day.

> </unquote>

 

If you have any open ports/services in the Windows Firewall, and you

have no other protection from the Internet, then those are your

candidates for how the requests are getting to your server.

 

What do you have allowed through your firewall?

 

--

Chris.

Guest Charles Law

Guest Charles Law

Posted
Posted

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Hi Chris

 

Thanks for the reply. Of the common ports, FTP (21), Remote Desktop, SNMP

(161), 85 and 80 are open.

 

Are any of these consistent with an attempt to "open an LSA policy handle"?

 

Charles

 

 

"Chris M" <nobody@nowhere.special> wrote in message

news:fdfvei$hpn$1@aioe.org...

> Charles Law wrote:

>> The following event 6033 is appearing in the event log of our server

>> every day. The reported IP address moves around the world and I do not

>> recognise any of them.

>>

>> The server is running Windows Server 2003 x64, and the Windows firewall

>> is enabled. There is no hardware firewall.

>>

>> <quote>

>> An anonymous session connected from <IP address> has attempted to open an

>> LSA policy handle on this machine. The attempt was rejected with

>> STATUS_ACCESS_DENIED to prevent leaking security sensitive information to

>> the anonymous caller.

>> The application that made this attempt needs to be fixed. Please contact

>> the application vendor. As a temporary workaround, this security measure

>> can be disabled by setting the

>> \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

>> DWORD value to 1.

>> This message will be logged at most once a day.

>> </unquote>

>

> If you have any open ports/services in the Windows Firewall, and you have

> no other protection from the Internet, then those are your candidates for

> how the requests are getting to your server.

>

> What do you have allowed through your firewall?

>

> --

> Chris.

Guest Chris M

Guest Chris M

Posted
Posted

Re: How to Fix: Anonymous Session Connected; Attempted to Open anLSA Policy Handle. Event 6033

 

Re: How to Fix: Anonymous Session Connected; Attempted to Open anLSA Policy Handle. Event 6033

 

Charles Law wrote:

> Thanks for the reply. Of the common ports, FTP (21), Remote Desktop, SNMP

> (161), 85 and 80 are open.

>

> Are any of these consistent with an attempt to "open an LSA policy handle"?

 

Having never seen the error before, I would only be able to guess.

 

I would put money on it being the SNMP service (why do you need this to

be exposed to the Internet? It's a bit of a security hole).

 

--

Chris.

Guest Charles Law

Guest Charles Law

Posted
Posted

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Good question. I'm not sure. I'll check with my colleagues and see if they

have a good reason for it, and close it if not.

 

Cheers.

 

Charles

 

 

"Chris M" <nobody@nowhere.special> wrote in message

news:fdifml$c6f$1@aioe.org...

> Charles Law wrote:

>> Thanks for the reply. Of the common ports, FTP (21), Remote Desktop, SNMP

>> (161), 85 and 80 are open.

>>

>> Are any of these consistent with an attempt to "open an LSA policy

>> handle"?

>

> Having never seen the error before, I would only be able to guess.

>

> I would put money on it being the SNMP service (why do you need this to be

> exposed to the Internet? It's a bit of a security hole).

>

> --

> Chris.

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Re: How to Fix: Anonymous Session Connected; Attempted to Open an LSA Policy Handle. Event 6033

 

Hi Chris and Charles,

I was reading, not posting, for exactly the same reason - I have not

ever seen that message before either, but after Charles posted the

list of exposures I was also leaning toward the SNMP exposure as

the culprit.

Roger

 

"Chris M" <nobody@nowhere.special> wrote in message

news:fdifml$c6f$1@aioe.org...

> Charles Law wrote:

>> Thanks for the reply. Of the common ports, FTP (21), Remote Desktop, SNMP

>> (161), 85 and 80 are open.

>>

>> Are any of these consistent with an attempt to "open an LSA policy

>> handle"?

>

> Having never seen the error before, I would only be able to guess.

>

> I would put money on it being the SNMP service (why do you need this to be

> exposed to the Internet? It's a bit of a security hole).

>

> --

> Chris.

 Share
Go to topic listing
×
×
  • Create New...