Identify all of the LSA plug-ins and drivers that are in use within your organization.Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature: For more information, see the Microsoft Security Development Lifecycle (SDL) Appendix.Įven if the plug-ins are properly signed with a Microsoft signature, non-compliance with the SDL process can result in failure to load a plug-in. LSA plug-ins that don't have a WHQL Certification process, must be signed by using the file signing service for LSA.Īdherence to the Microsoft Security Development Lifecycle (SDL) process guidanceĪll of the plug-ins must conform to the applicable SDL process guidance. For more information, see WHQL Release Signature. LSA plug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters. Therefore, any plug-ins that are unsigned or aren't signed with a Microsoft signature will fail to load in LSA. Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature.
Protected process requirements for plug-ins or driversįor an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria: When this setting is used with UEFI lock and Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect. The protected process setting for LSA can be configured in Windows 8.1 and later. This feature provides added security for the credentials that LSA stores and manages. The Windows 8.1 operating system and later provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
This article for the IT professional explains how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
0 kommentar(er)
