RE: Username shown as SYSTEM? - 22.Jul.2002 10:34:00 PM
I have the same thing showing up sporadically for every firewall client we have in our office. I thought it might have been Norton antivirus going out to get updates but the only machine we published to use that port was the primary Norton Antivirus server. Anyway this SYSTEM session will be active along with the actual user associated with the IP address. So a single IP address shows up twice as a session. This makes me nervous... I do not see how "System" can authenticate since that account is not listed in our active directory. I will look into it further but this should not be happening. Could this be the first big exploit on ISA?
RE: Username shown as SYSTEM? - 23.Jul.2002 12:56:00 AM
I think I may have figured this one out but my changes may cause other unexpected errors. I was looking for where in the heck the system could have been alowed to authenticate from and found a reference in the management console under "servers & arrays" right click on your server name and select properties. Once in the properties for the ISA server take a look under the security tab. If allow inheritable permission is checked then most likely "system" has access to the program. I then disabled inheritable permissions and placed "Authenticated Users" with read only permission and allowed firstname.lastname@example.org full rights. This allows admins access and users but does not allow System threw. I do not know if this is working yet but everything seems to run fine and I no longer see SYSTEM from a users desktop logged on. email@example.com
RE: Username shown as SYSTEM? - 23.Jul.2002 11:36:00 PM
I was premature in my removal of the system user that is set to Propigate down to the ISA program. Although, it was running fine without the system account in ISA as long as Authenticated Users and Administrators were given permission in place of "system". All was in vein because I still saw the System account showing up as a firewall session along with the user on that machine showing up with the same IP as I have shown below
I do not hear many people complaining about this so maybe we have the same settings that can lead us to some conclusions. Here is our basic setup
We use Firewall for Full time employees Web Proxy for Interns/Partimers and Secure Nat for servers.
For firewall clients I do not list the Web Proxy service in the IE browser so that I do not get duplicate references for user showing both HTTP Access as apposed other firewall services. I think maybe the way I have set up clients may be similar to yours and that is why we get the system name accessing through ISA. Any user with Firewall access does not reference the Webproxy through Internet Explorer instead I leave everything under the LAN Settings tab in IE Properties Blank. I do not point to the proxy server if a client has the firewall. If they do not have the firewall then I set IE to use proxy server for firewall client ie. ISASERVER-8080...
I will start to remove Protocals rules from the firewall to weed out possible ports allowing a users system to authenticate threw ISA. I have alot of protocals open but I think once I hit it the System should drop if this is the problem.
We also use the smtp screener which I do not think is causing this problem but just so you know.
Do you use these services and do you set up the clients in the same fashion?
From: Middelburg, South Africa
My first comment is that maybe sometimes there are applications that have authenticated with the SYSTEM account on a workstation and by having the FW Client installed, that application is able to surf the internet and when asked for credentials it already thinks he is SYSTEM so it doesn't ask the operating system for that information.
Secondly, I find your setup very curious, and trusting. What is stopping those users who have the FW Client installed (and thus no WEB Proxy settings) from entering the WEB Proxy settings within Internet Explorer? And also, what is preventing a user from manually installing the Firewal Client himself as the share is freely available on the ISAServer\mspclnt?
As for not using the WEB Proxy settings in the WEB Browser in an effort to avoid getting duplicate references, you are then forcing the IE browser to fail all HTTP requests over to the FW client so that the FW Client can resolve it for you. Do you not htink that this puts unneccessary load on the whole "Internet Experience"?
Although still a relative newbie to ISA, I do not see how removing Protocol Rules could assist in removing the offending SYSTEM account. My opinion would be to investigatethe Firewall Logs and to check what the name of the application is that is authenticating with the SYSTEM account. Once you know what application it is then you should be able to control more of what it is doing.
I have just run a query on my logfiles and found that there are quite a few applications that use the SYSTEM account. They include applications such as AntiVirus, Remote Control and even some funny-looking Windows service files.
My bottom line opinion is this: I think all the SYSTEM accounts we are seeing are indeed legitimate traffic, but it may be legitimate traffic from applications we do not want to see surfing the Net. So I think if you check your Firewall Log you should be able to find the offending applications and narrow down which ports to exclude, or better yet, change the Client Configuration of the Firewall Client to DISABLE the application from being allowed to surf.