18.9.26.2 (L1) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'

Information

This policy setting controls whether the Local Security Authority Subservice Service (LSASS) runs in protected mode and also has the option to lock in protected mode with Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which includes the LSASS process, validates users for local and remote sign-ins and enforces local security policies.

The recommended state for this setting is: Enabled: Enabled with UEFI Lock

Note: This additional protection to prevent reading memory and code injection by non-protected processes is supported by Windows 8.1 (or newer).

Provides added security for the credentials that LSA stores and manages. Enabling this setting with UEFI Lock prevents the setting from being changed remotely.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled with UEFI Lock :

Computer Configuration\Policies\Administrative Templates\System\Local Security Authority\Configures LSASS to run as a protected process

Impact:

Once this setting has been applied (Enabled), removing the group policy setting (set to Not Configured) will not reverse the impact. In order to reverse the impact, you must explicitly configure this setting to Disabled and follow

Microsoft's documentation on disabling the UEFI Lock

.

See Also

https://workbench.cisecurity.org/benchmarks/17603

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: Windows

Control ID: 25a5b57bc0440ebe4463fd0c8cf789e64fa34a7ade13265b963410092deae3cb