3 Replies Latest reply on Aug 24, 2016 2:45 AM by fabiansz

    ENS 10.x Firewall Core Networking Rules (SYSTEM)

    fabiansz

      Within the core networking rules there is one called "Allow outbound System application".

       

      It contains one application, defined by one executable:

      System --> **\SYSTEM

       

      What exactly does it mean?

      - processes that run under SYSTEM context?

      - files named *system*?

      - files within \Windows\system32?

       

      Who defines what "system application" means? McAfee? Microsoft?

       

      Thanks

        • 2. Re: ENS 10.x Firewall Core Networking Rules (SYSTEM)
          rmetzger

          fabiansz wrote:

           

          Within the core networking rules there is one called "Allow outbound System application".

           

          It contains one application, defined by one executable:

          System --> **\SYSTEM

           

          What exactly does it mean?

          - processes that run under SYSTEM context?

          - files named *system*?

          - files within \Windows\system32?

           

          Who defines what "system application" means? McAfee? Microsoft?

          Microsoft. And any developer who needs to install low level device drivers or privileged applications that Microsoft authorizes, such as security software.

           

          From: https://support.microsoft.com/en-us/kb/120929

           

          The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

           

          NOTE: Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.

           

          and From: LocalSystem Account (Windows)

           

          The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

           

           

          OK,

          '- Processes that run under SYSTEM context' are processes running at the Operating System level and need to be left alone under most circumstances.

          '- files named *system*' has no default relationship to the SYSTEM account.

          '- files within \Windows\system32' may be granted NTFS access control rights based on Operating System use and control. Usually this is done at installation time and should be left alone under most circumstances.

           

          'System --> **\SYSTEM' refers to Processes that run under the .\LocalSystem or ComputerName\LocalSystem account context. 'SYSTEM' is the pre-Active Directory name referring to LocalSystem.

           

          Is that helpful?

          Ron Metzger

          • 3. Re: ENS 10.x Firewall Core Networking Rules (SYSTEM)
            fabiansz

            Official answer from Intel Support:

             

            The file "**\SYSTEM" means System Processes --> ntoskrnl.exe.

            Allows outgoing connections for NT Kernel & System.