1/13/2024 0 Comments Lsa isolator![]() Automatic enablement of Audit modeĪudit mode for additional LSA protection is enabled by default on devices running Windows 11, 22H2. Select the Smart App Control settings link to check the enablement state and change the configuration to Off if you are trying to audit additional LSA protection. To check or change the enablement state of Smart App Control, open the Windows Security Application and go to the App & browser control page. For information about this tool, see Wevtutil.Īudit events will not be generated if Smart App Control is enabled on a device. To manage these events, you can use the wevtutil command-line tool. ![]() They can help you identify LSA plug-ins and drivers that are failing to load due to signing reasons. The events described in this section are located in the Operational log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. The messages are logged without blocking the plug-ins or drivers. While in the audit mode, the system will generate event logs, identifying all of the plug-ins and drivers that will fail to load under LSA if LSA Protection is enabled. You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. Auditing to identify LSA plug-ins and drivers that fail to run as a protected process In general, there's no supported way to debug a running protected process. You can't attach a debugger to LSASS when it's a protected process. If additional LSA protection is enabled, you can't debug a custom LSA plugin. Limitations introduced with enabled LSA protection Use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process.Ensure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected.Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in won't fail to load.Include non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications. Identify all of the LSA plug-ins and drivers that are in use within your organization. ![]() Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature: For more information, see the Microsoft Security Development Lifecycle (SDL) Appendix.Įven if the plug-ins are properly signed with a Microsoft signature, non-compliance with the SDL process can result in failure to load a plug-in. LSA plug-ins that don't have a WHQL Certification process, must be signed by using the file signing service for LSA.Īdherence to the Microsoft Security Development Lifecycle (SDL) process guidanceĪll of the plug-ins must conform to the applicable SDL process guidance. For more information, see WHQL Release Signature. LSA plug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters. Therefore, any plug-ins that are unsigned or aren't signed with a Microsoft signature will fail to load in LSA. Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. Protected process requirements for plug-ins or driversįor an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria: When this setting is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. The protected process setting for LSA can be configured in Windows 8.1 and later. This feature provides added security for the credentials that LSA stores and manages. The Windows 8.1 operating system and later provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. This article for the IT professional explains how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |