LSA ProtectionID: oval:org.secpod.oval:def:29989 | Date: (C)2015-10-14 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
Use this setting to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
On x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. The UEFI variable must be reset.
x86-based or x64-based devices that do not support UEFI or Secure Boot are disabled, cannot store the configuration for LSA protection in the firmware, and rely solely on the presence of the registry key. In this scenario, it is possible to disable LSA protection by using remote access to the device.
If you enable this setting, LSA protection is enabled.
If you disable or do not configure this setting, LSA protection is not enabled.
For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx
Fix:
(1) GPO: Computer Configuration\Administrative Templates\SCM: Pass the Hash Mitigations!Enable LSA Protection
(2) REG: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa!RunAsPPL
Platform: |
Microsoft Windows 8.1 |