18.4.7 (L1) Ensure 'LSA Protection' is set to 'Enabled'

Information

This policy setting controls whether the Local Security Authority Server Service (LSASS) process runs protected. The Local Security Authority (LSA), which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.

The recommended state for this setting is: Enabled

Note: This setting only applies to Windows 8.1 (or newer) except for Windows 11 (or newer). See policy setting

Configure LSASS to run as a protected process

.

The Windows 8.1 operating system (or newer) provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. Enabling this setting provides added security for the credentials that LSA stores and manages.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\MS Security Guide\LSA Protection

Note: This Group Policy path does not exist by default. An additional Group Policy template ( SecGuide.admx/adml ) is required - it is available from Microsoft at

this link

.

Impact:

If additional LSA protection is enabled, Administrators will not be able to debug a custom LSA plugin. A debugger cannot be attached to LSASS when it's a protected process. In general, there's no supported way to debug a running protected process.

See Also

https://workbench.cisecurity.org/benchmarks/16514

Item Details

Category: CONTINGENCY PLANNING

References: 800-53|CP-10, CSCv7|10.5

Plugin: Windows

Control ID: 5847f69e4be236533648ff54305e83e897c3d4f50b29e9831b33ebd7a8732b1a