<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a concept within [Microsoft Active Directory ]allows you configure additional protection for the [Local Security Authority] ([LSA]) process to prevent [Code injection] that could [Compromised Credentials].

%%error
[LSA] plug-ins which are __NOT__ compatible with [{$pagename}] Mode __will NOT function__ after enabling the mode.
%%
Such plug-ins can be identified by using Audit Mode before changing the Protection Mode.

For an [LSA] plug-in or driver to successfully load as a protected process, it must meet the following criteria:

Signature verification - requires [Software library] which is loaded into the [LSA] be [Digitally Signed] with a [Microsoft] [signature|Digital Signature] (referred to as [Authenticode]).  [Examples] of these plug-ins are [Smart Card] drivers, cryptographic plug-ins, and [AD Password Filters].

LSA plug-ins that are drivers, such as [Smart Card] drivers, need to be signed by using the WHQL Certification. LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.

!! [{$pagename}] [Audit|Auditing] Mode
To enable the audit mode for Lsass.exe on by editing the [Windows registry] located at: 
* [HKLM]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.
* Set the value of the registry key to AuditLevel=dword:00000008.
* Restart the computer.

Analyze the results of [Windows Event Log] [Event 3065] and [Event 3066].
* Event 3065 - records that a code [integrity] check determined that a process attempted to load a particular driver that did not meet the security requirements for Shared Sections. However, due to the system policy that is set, the image was allowed to load.
* Event 3066 - records that a code [integrity] check determined that a process attempted to load a particular driver that did not meet the [Microsoft] [signature|Digital Signature] level requirements. However, due to the system policy that is set, the image was allowed to load.

!! Enabling [{$pagename}]
Open the Registry Editor (RegEdit.exe), on by editing the [Windows registry] located at:
* [HKLM]\SYSTEM\CurrentControlSet\Control\Lsa.
* Set the value of the registry key to: &quot;RunAsPPL&quot;=dword:00000001.
* Restart the computer.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Configuring Additional LSA Protection|https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection|target='_blank'] - based on information obtained 2020-02-16 
* [#2] - [WHQL Release Signature|https://docs.microsoft.com/en-us/windows-hardware/drivers/install/whql-release-signature|target='_blank'] - based on information obtained 2020-02-16 
* [#3] - [Authenticode Digital Signatures|https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode|target='_blank'] - based on information obtained 2020-02-16 
</pre>