This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 added 38 lines
!!! Overview
[{$pagename}] is a concept within [Microsoft Active Directory ]allows you configure additional protection for the [Local Security Authority] ([LSA]) process to prevent [Code injection] that could [Compromised Credentials].
%%error
[LSA] plug-ins which are __NOT__ compatible with [{$pagename}] Mode __will NOT function__ after enabling the mode.
%%
Such plug-ins can be identified by using Audit Mode before changing the Protection Mode.
For an [LSA] plug-in or driver to successfully load as a protected process, it must meet the following criteria:
Signature verification - requires [Software library] which is loaded into the [LSA] be [Digitally Signed] with a [Microsoft] [signature|Digital Signature] (referred to as [Authenticode]). [Examples] of these plug-ins are [Smart Card] drivers, cryptographic plug-ins, and [AD Password Filters].
LSA plug-ins that are drivers, such as [Smart Card] drivers, need to be signed by using the WHQL Certification. LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.
!! [{$pagename}] [Audit|Auditing] Mode
To enable the audit mode for Lsass.exe on by editing the [Windows registry] located at:
* [HKLM]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
* Set the value of the registry key to AuditLevel=dword:00000008.
* Restart the computer.
Analyze the results of [Windows Event Log] [Event 3065] and [Event 3066].
* Event 3065 - records that a code [integrity] check determined that a process attempted to load a particular driver that did not meet the security requirements for Shared Sections. However, due to the system policy that is set, the image was allowed to load.
* Event 3066 - records that a code [integrity] check determined that a process attempted to load a particular driver that did not meet the [Microsoft] [signature|Digital Signature] level requirements. However, due to the system policy that is set, the image was allowed to load.
!! Enabling [{$pagename}]
Open the Registry Editor (RegEdit.exe), on by editing the [Windows registry] located at:
* [HKLM]\SYSTEM\CurrentControlSet\Control\Lsa.
* Set the value of the registry key to: "RunAsPPL"=dword:00000001.
* Restart the computer.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Configuring Additional LSA Protection|https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection|target='_blank'] - based on information obtained 2020-02-16
* [#2] - [WHQL Release Signature|https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature|target='_blank'] - based on information obtained 2020-02-16
* [#3] - [Authenticode Digital Signatures|https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode|target='_blank'] - based on information obtained 2020-02-16