Information
This policy setting controls whether the Local Security Authority Server Service (LSASS) process runs protected. The Local Security Authority (LSA), which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
The recommended state for this setting is: Enabled
Note: This setting only applies to Windows Server 2012 R2 (and newer) except for Windows Server 2022 (and newer). See policy setting
Configure LSASS to run as a protected process
.
The Windows Server 2012 R2 (and newer) provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. Enabling this setting provides added security for the credentials that LSA stores and manages.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled :
Computer Configuration\Policies\Administrative Templates\MS Security Guide\LSA Protection
Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at
this link
.
Impact:
If additional LSA protection is enabled, Administrators will not be able to debug a custom LSA plugin. A debugger cannot be attached to LSASS when it's a protected process. In general, there's no supported way to debug a running protected process.