Overview#
LSA Protection is a concept within Microsoft Active Directory allows you configure additional protection for the Local Security Authority (LSA) process to prevent Code injection that could Compromised Credentials.
LSA plug-ins which are NOT compatible with LSA Protection Mode will NOT function after enabling the mode.
Such plug-ins can be identified by using Audit Mode before changing the Protection Mode.
For an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:
Signature verification - requires Software library which is loaded into the LSA be Digitally Signed with a Microsoft signature (referred to as Authenticode). Examples of these plug-ins are Smart Card drivers, cryptographic plug-ins, and AD Password Filters.
LSA plug-ins that are drivers, such as Smart Card drivers, need to be signed by using the WHQL Certification. LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.
LSA Protection Audit Mode#
To enable the audit mode for Lsass.exe on by editing the Windows registry located at:- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
- Set the value of the registry key to AuditLevel=dword:00000008.
- Restart the computer.
Analyze the results of Windows Event Log Event 3065 and Event 3066.
- Event 3065 - records that a code integrity check determined that a process attempted to load a particular driver that did not meet the security requirements for Shared Sections. However, due to the system policy that is set, the image was allowed to load.
- Event 3066 - records that a code integrity check determined that a process attempted to load a particular driver that did not meet the Microsoft signature level requirements. However, due to the system policy that is set, the image was allowed to load.
Enabling LSA Protection#
Open the Registry Editor (RegEdit.exe), on by editing the Windows registry located at:- HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
- Set the value of the registry key to: "RunAsPPL"=dword:00000001.
- Restart the computer.
More Information#
There might be more information for this subject on one of the following:- DirXML PWFILTER.DLL
- Local Security Authority
- Password Flow From Active Directory to eDirectory
- Windows Authentication Package
- [#1] - Configuring Additional LSA Protection
- based on information obtained 2020-02-16
- [#2] - WHQL Release Signature - based on information obtained 2020-02-16
- [#3] - Authenticode Digital Signatures - based on information obtained 2020-02-16