• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Username shown as SYSTEM?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Username shown as SYSTEM? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Username shown as SYSTEM? - 20.Jun.2002 3:00:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

I am slowly but surely expanding the list of users through my ISA Server and I have just noticed the following.

Under the Monitoring tab, there is a Firewall Session for a user who was surfing via IExplorer, and his username is shown as SYSTEM.

Now firstly, why does he have a firewall session established and not a WEB Proxy Session, and secondly why is his username shown as SYSTEM.

All other users are fne for now.

Cheers
William R.
Post #: 1
RE: Username shown as SYSTEM? - 20.Jun.2002 4:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi William,

A process running under the System account is attempting to access the Internet. I've seen this when users attempt to run TZO on internal network clients.

HTH,
Tom

(in reply to wi11iam)
Post #: 2
RE: Username shown as SYSTEM? - 20.Jun.2002 4:53:00 PM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Brilliant Tom. Thanks very much. Just quickly, what is TZO?

Cheers
William R.

(in reply to wi11iam)
Post #: 3
RE: Username shown as SYSTEM? - 21.Jun.2002 1:28:00 PM   
zzz343

 

Posts: 764
Joined: 19.Feb.2002
From: World's 7th Nuclear Power
Status: offline
If your client is running on windows 2000, you may see SYSTEM in ISA MMC.

(in reply to wi11iam)
Post #: 4
RE: Username shown as SYSTEM? - 4.Jul.2002 5:45:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi William,

TZO is a dynamic DNS client. Check it out at www.tzo.com

HTH,
Tom

quote:
Originally posted by wi11iam:
Brilliant Tom. Thanks very much. Just quickly, what is TZO?

Cheers
William R.


(in reply to wi11iam)
Post #: 5
RE: Username shown as SYSTEM? - 22.Jul.2002 10:34:00 PM   
Guest
I have the same thing showing up sporadically for every firewall client we have in our office. I thought it might have been Norton antivirus going out to get updates but the only machine we published to use that port was the primary Norton Antivirus server. Anyway this SYSTEM session will be active along with the actual user associated with the IP address. So a single IP address shows up twice as a session. This makes me nervous... I do not see how "System" can authenticate since that account is not listed in our active directory. I will look into it further but this should not be happening. Could this be the first big exploit on ISA?

(in reply to wi11iam)
  Post #: 6
RE: Username shown as SYSTEM? - 23.Jul.2002 12:56:00 AM   
Guest
I think I may have figured this one out but my changes may cause other unexpected errors. I was looking for where in the heck the system could have been alowed to authenticate from and found a reference in the management console under "servers & arrays" right click on your server name and select properties. Once in the properties for the ISA server take a look under the security tab. If allow inheritable permission is checked then most likely "system" has access to the program. I then disabled inheritable permissions and placed "Authenticated Users" with read only permission and allowed administrators@yourdomain.corp full rights. This allows admins access and users but does not allow System threw. I do not know if this is working yet but everything seems to run fine and I no longer see SYSTEM from a users desktop logged on. abusemail@comcast.net

(in reply to wi11iam)
  Post #: 7
RE: Username shown as SYSTEM? - 23.Jul.2002 7:37:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi BncBerks

I find the changes you made very interesting, although it does make me nervous.

My udnerstanding was that the security permissions that you have just modified are used only to determine who has authority to make changes to the ISA Server configuration itself.

As with most all Microsoft products, the SYSTEM always needs to be able to interact with Admin privileges to the service in question.

Anyway, I would be very curious to hear about the stability of your server, as well as if the removal of the SYSTEM account has resolved this issue.

Cheers
William R.

(in reply to wi11iam)
Post #: 8
RE: Username shown as SYSTEM? - 23.Jul.2002 11:36:00 PM   
Guest
William,

I was premature in my removal of the system user that is set to Propigate down to the ISA program. Although, it was running fine without the system account in ISA as long as Authenticated Users and Administrators were given permission in place of "system". All was in vein because I still saw the System account showing up as a firewall session along with the user on that machine showing up with the same IP as I have shown below

Firewall Session-David-David2k-IP-Date
Firewall Session-SYSTEM-David2k-IP-Date

were the IP and machine name is Identical.

Back to the drawing board...

I do not hear many people complaining about this so maybe we have the same settings that can lead us to some conclusions. Here is our basic setup

We use Firewall for Full time employees Web Proxy for Interns/Partimers and Secure Nat for servers.

For firewall clients I do not list the Web Proxy service in the IE browser so that I do not get duplicate references for user showing both HTTP Access as apposed other firewall services. I think maybe the way I have set up clients may be similar to yours and that is why we get the system name accessing through ISA. Any user with Firewall access does not reference the Webproxy through Internet Explorer instead I leave everything under the LAN Settings tab in IE Properties Blank. I do not point to the proxy server if a client has the firewall. If they do not have the firewall then I set IE to use proxy server for firewall client ie. ISASERVER-8080...

I will start to remove Protocals rules from the firewall to weed out possible ports allowing a users system to authenticate threw ISA. I have alot of protocals open but I think once I hit it the System should drop if this is the problem.

We also use the smtp screener which I do not think is causing this problem but just so you know.

Do you use these services and do you set up the clients in the same fashion?

Thanx

Your Puzzeled compadre

(in reply to wi11iam)
  Post #: 9
RE: Username shown as SYSTEM? - 24.Jul.2002 7:53:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

My first comment is that maybe sometimes there are applications that have authenticated with the SYSTEM account on a workstation and by having the FW Client installed, that application is able to surf the internet and when asked for credentials it already thinks he is SYSTEM so it doesn't ask the operating system for that information.

Secondly, I find your setup very curious, and trusting. What is stopping those users who have the FW Client installed (and thus no WEB Proxy settings) from entering the WEB Proxy settings within Internet Explorer? And also, what is preventing a user from manually installing the Firewal Client himself as the share is freely available on the ISAServer\mspclnt?

As for not using the WEB Proxy settings in the WEB Browser in an effort to avoid getting duplicate references, you are then forcing the IE browser to fail all HTTP requests over to the FW client so that the FW Client can resolve it for you. Do you not htink that this puts unneccessary load on the whole "Internet Experience"?

Although still a relative newbie to ISA, I do not see how removing Protocol Rules could assist in removing the offending SYSTEM account. My opinion would be to investigatethe Firewall Logs and to check what the name of the application is that is authenticating with the SYSTEM account. Once you know what application it is then you should be able to control more of what it is doing.

I have just run a query on my logfiles and found that there are quite a few applications that use the SYSTEM account. They include applications such as AntiVirus, Remote Control and even some funny-looking Windows service files.

My bottom line opinion is this:
I think all the SYSTEM accounts we are seeing are indeed legitimate traffic, but it may be legitimate traffic from applications we do not want to see surfing the Net. So I think if you check your Firewall Log you should be able to find the offending applications and narrow down which ports to exclude, or better yet, change the Client Configuration of the Firewall Client to DISABLE the application from being allowed to surf.

Cheers
William R.

(in reply to wi11iam)
Post #: 10
RE: Username shown as SYSTEM? - 24.Jul.2002 4:40:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

Any application that runs under the system account to connect to the Internet is going to show up as SYSTEM in the firewall service logs.

HTH,
Tom

(in reply to wi11iam)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Username shown as SYSTEM? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts