jspωiki
LSA Protection

Overview#

LSA Protection is a concept within Microsoft Active Directory allows you configure additional protection for the Local Security Authority (LSA) process to prevent Code injection that could Compromised Credentials.
LSA plug-ins which are NOT compatible with LSA Protection Mode will NOT function after enabling the mode.
Such plug-ins can be identified by using Audit Mode before changing the Protection Mode.

For an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:

Signature verification - requires Software library which is loaded into the LSA be Digitally Signed with a Microsoft signature (referred to as Authenticode). Examples of these plug-ins are Smart Card drivers, cryptographic plug-ins, and AD Password Filters.

LSA plug-ins that are drivers, such as Smart Card drivers, need to be signed by using the WHQL Certification. LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.

LSA Protection Audit Mode#

To enable the audit mode for Lsass.exe on by editing the Windows registry located at:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
  • Set the value of the registry key to AuditLevel=dword:00000008.
  • Restart the computer.

Analyze the results of Windows Event Log Event 3065 and Event 3066.

  • Event 3065 - records that a code integrity check determined that a process attempted to load a particular driver that did not meet the security requirements for Shared Sections. However, due to the system policy that is set, the image was allowed to load.
  • Event 3066 - records that a code integrity check determined that a process attempted to load a particular driver that did not meet the Microsoft signature level requirements. However, due to the system policy that is set, the image was allowed to load.

Enabling LSA Protection#

Open the Registry Editor (RegEdit.exe), on by editing the Windows registry located at:
  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
  • Set the value of the registry key to: "RunAsPPL"=dword:00000001.
  • Restart the computer.

More Information#

There might be more information for this subject on one of the following: