Shulou(Shulou.com)11/24 Report--

CTOnews.com December 24, Local Security Agency (LSA) protection is an important part of user authentication in Windows systems. LSA manages the necessary system credentials such as passwords and tokens related to Microsoft accounts and Azure.

What is the Local Security Agency (LSA)?

The local security organization is the core component of the security subsystem in the Windows operating system. The local security agency (LSA) is responsible for managing the interactive login of the system.

When the user tries to log in locally by entering a user name and password in the login dialog box (that is, the login interface entered by boot), the system will automatically call LSA and pass the credentials we entered to the Security account Manager (SAM). Relevant account information for administrative storage is stored in SAM.

If approved, LSA grants the user an access token (Access Token) that contains the user's individual and group SID and its permissions. Each process executed by the user has a copy of the access token. The token identifies the identity of the user, the group to which the user belongs, and user privileges. The token also identifies the login SID security identifier for the current login session.

Restrictions introduced when LSA protection is enabled

If other LSA protection is enabled, you cannot debug a custom LSA plug-in. Cannot attach a debugger to a LSASS when the debugger is a protected process. In general, debugging protected processes that are running is not supported.

Enable automatically

For client devices running Windows 11, 22H2, additional LSA protection is enabled by default if the following conditions are met:

The device is a new installation upgraded from Windows 11, 22H2 (not from the previous version).

The device has joined the enterprise (joined the Active Directory domain, joined the Azure AD domain, or joined the mixed Azure AD domain).

The device can (HVCI) code integrity protected by the hypervisor

Additional LSA protection is automatically enabled on Windows 11, and 22H2 does not set the UEFI variable for this feature. If you want to set the UEFI variable, you can use the registry configuration or policy.

CTOnews.com users, if you want to protect your credentials from attackers, you must enable local security protection. In this article, we will enable local security agency protection on your computer in three different ways:

Through the Windows Security Center

Through the registry

Use the local group policy approach

Enable 1. 1 through Windows Security Center. Press Win to open the start menu

two。 Search for "Windows Security Center" in the search box (full input is not required), and then click "Windows Security Center"

3. Click "device Security" in the left navigation panel and click "Kernel isolation details" under the "Kernel isolation" option.

4. Check the box to turn on "Local Security Agency Protection" in the pop-up page.

5. Select "Yes" in the user account control pop-up window

6. Restart the computer to see if it works

Enable 1. 1 through the registry. Press Win to open the start menu

two。 Search the search box for "regedit" (full input is not required), and then click "Registry Editor"

3. Access the "computer\ HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa" path

4. Then double-click the value RunAsPPL to change it to "1". If it is not in the registry, right-click "New"-"DWORD (32-bit) value" and rename it to RunAsPPL

5. Restart the computer

Through group policy: 1. Use Win + R to combine shortcuts, then type gpedit.msc and click OK.

two。 Expand the computer configuration-Administrative templates-system, and then expand the local security agency.

3. Turn on the configure LSASS to run as a protected process option

4. Set the policy to enabled.

5. Under options, set configure LSA to run as a protected process so that:

UEFI locking enabled to configure the feature using the UEFI variable.

No UEFI locking enabled to configure features without UEFI variables.

6. Restart the computer.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.