配置其他 LSA 保护Configuring Additional LSA Protection

适用于:Windows Server(半年频道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主题面向 IT 专业人员,介绍如何为本地安全机构 (LSA) 进程配置附加保护,以防止发生损害凭据安全性的代码注入。This topic for the IT professional explains how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

LSA 包含本地安全机构服务器服务 (LSASS) 进程,可以验证用户的本地和远程登录,并强制本地安全策略。The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Windows 8.1 操作系统为 LSA 提供附加保护,以防止未受保护的进程读取内存和代码注入。The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. 这为 LSA 存储和管理的凭据提供了更高的安全性。This provides added security for the credentials that the LSA stores and manages. LSA 的受保护进程设置可以在 Windows 8.1 中配置,但不能在 Windows RT 8.1 中进行配置。The protected process setting for LSA can be configured in Windows 8.1, but it cannot be configured in Windows RT 8.1. 将此设置与安全启动结合使用时,便可以实现附加保护,因为禁用 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 注册表项不起作用。When this setting is used in conjunction with Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

插件或驱动程序的受保护进程要求Protected process requirements for plug-ins or drivers

要使 LSA 插件或驱动程序以受保护进程的形式成功加载,它必须符合以下条件:For an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:

  1. 签名验证Signature verification

    保护模式要求加载到 LSA 中的任何插件都已使用 Microsoft 签名进行数字签名。Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. 因此,未签名的或者未使用 Microsoft 签名进行签名的任何插件都无法加载到 LSA 中。Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail to load in LSA. 这些插件的示例包括智能卡驱动程序、加密插件和密码筛选器。Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters.

    用作驱动程序(例如智能卡驱动程序)的 LSA 插件需要使用 WHQL 认证进行签名。LSA plug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. 有关详细信息,请参阅 WHQL 发行版签名For more information, see WHQL Release Signature.

    不需要经历 WHQL 认证过程的 LSA 插件必须使用 LSA 的文件签名服务进行签名。LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.

  2. 遵守 Microsoft 安全开发生命周期 (SDL) 过程指导Adherence to the Microsoft Security Development Lifecycle (SDL) process guidance

    所有插件必须符合适用的 SDL 过程指导。All of the plug-ins must conform to the applicable SDL process guidance. 有关详细信息,请参阅 Microsoft 安全开发生命周期 (SDL) 附录For more information, see the Microsoft Security Development Lifecycle (SDL) Appendix.

    即使插件已使用 Microsoft 签名正确地进行签名,但如果不符合 SDL 过程,也可能会导致加载插件失败。Even if the plug-ins are properly signed with a Microsoft signature, non-compliance with the SDL process can result in failure to load a plug-in.

在广泛部署该功能之前,请使用以下列表来全面测试是否已启用 LSA 保护:Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature:

  • 识别组织中使用的所有 LSA 插件和驱动程序。Identify all of the LSA plug-ins and drivers that are in use within your organization. 这包括非 Microsoft 驱动程序或插件(例如智能卡驱动程序和加密插件),以及内部开发的、用于强制密码筛选器或密码更改通知的所有软件。This includes non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications.

  • 确保使用 Microsoft 证书对所有 LSA 插件进行数字签名,以防止插件加载失败。Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to load.

  • 确保正确签名的所有插件都能成功加载到 LSA 中,并且能按预期工作。Ensure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected.

  • 使用审核日志来识别无法以受保护进程运行的 LSA 插件和驱动程序。Use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process.

启用 LSA 保护引入的限制Limitations introduced with enabled LSA protection

如果启用了 LSA 保护,则无法调试自定义 LSA 插件。If LSA protection is enabled, you cannot debug a custom LSA plugin. 如果调试程序是受保护的进程,则不能将调试程序附加到它。You can't attach a debugger to LSASS when it's a protected process. 一般情况下,不支持调试正在运行的受保护进程。In general, there is no supported way to debug a running protected process.

如何识别无法以受保护进程运行的 LSA 插件和驱动程序How to identify LSA plug-ins and drivers that fail to run as a protected process

本部分所述的事件位于 Applications and Services Logs\Microsoft\Windows\CodeIntegrity 下的运行日志中。The events described in this section are located in the Operational log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. 这些事件可帮助你识别由于签名方面的原因而无法加载的 LSA 插件和驱动程序。They can help you identify LSA plug-ins and drivers that are failing to load due to signing reasons. 若要管理这些事件,可使用 wevtutil 命令行工具。To manage these events, you can use the wevtutil command-line tool. 有关此工具的信息,请参阅 WevtutilFor information about this tool, see Wevtutil.

在选择加入之前:如何识别 lsass.exe 加载的插件和驱动程序Before opting in: How to identify plug-ins and drivers loaded by the lsass.exe

可以使用审核模式来识别 LSA 保护模式下无法加载的 LSA 插件和驱动程序。You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. 在审核模式下,系统将生成事件日志,标识在启用 LSA 保护的情况下无法在 LSA 下加载的所有插件和驱动程序。While in the audit mode, the system will generate event logs, identifying all of the plug-ins and drivers that will fail to load under LSA if LSA Protection is enabled. 将会记录消息,而不阻止这些插件或驱动程序。The messages are logged without blocking the plug-ins or drivers.

在一台计算机上通过编辑注册表为 Lsass.exe 启用审核模式的步骤To enable the audit mode for Lsass.exe on a single computer by editing the Registry
  1. 打开注册表编辑器 (RegEdit.exe),然后导航到位于以下位置的注册表项:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  2. 将该注册表项的值设置为 AuditLevel=dword:00000008.。Set the value of the registry key to AuditLevel=dword:00000008.

  3. 重新启动计算机。Restart the computer.

分析事件 3065 和事件 3066 的结果。Analyze the results of event 3065 and event 3066.

完成此操作后,你可能会在事件查看器中看到以下事件: Codeintegrity/操作:After this, you may see these events in Event Viewer: Microsoft-Windows-Codeintegrity/Operational:

  • 事件 3065:此事件的记录表明,代码完整性检查确定某个进程(通常为 lsass.exe)尝试加载特定的驱动程序,但该驱动程序不符合共享区域的安全要求。Event 3065: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a particular driver that did not meet the security requirements for Shared Sections. 但是,由于所设置的系统策略的原因,允许加载相应的映像。However, due to the system policy that is set, the image was allowed to load.

  • 事件 3066:此事件的记录表明,代码完整性检查确定某个进程(通常为 lsass.exe)尝试加载特定的驱动程序,但该驱动程序不符合 Microsoft 签名级别要求。Event 3066: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a particular driver that did not meet the Microsoft signing level requirements. 但是,由于所设置的系统策略的原因,允许加载相应的映像。However, due to the system policy that is set, the image was allowed to load.

重要

如果在系统上附加并启用了内核调试程序,则不生成这些操作事件。These operational events are not generated when a kernel debugger is attached and enabled on a system.

如果插件或驱动程序包含共享区域,则会同时记录事件 3066 和事件 3065。If a plug-in or driver contains Shared Sections, Event 3066 is logged with Event 3065. 除非插件不符合 Microsoft 签名级别要求,否则,删除共享区域应可防止发生这两个事件。Removing the Shared Sections should prevent both the events from occurring unless the plug-in does not meet the Microsoft signing level requirements.

若要为域中的多台计算机启用审核模式,可以使用组策略的注册表客户端扩展来部署 Lsass.exe 审核级别注册表值。To enable audit mode for multiple computers in a domain, you can use the Registry Client-Side Extension for Group Policy to deploy the Lsass.exe audit-level registry value. 需要修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe 注册表项。You need to modify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe registry key.

在 GPO 中创建 AuditLevel 值设置的步骤To create the AuditLevel value setting in a GPO
  1. 打开组策略管理控制台 (GPMC)。Open the Group Policy Management Console (GPMC).

  2. 创建一个新的组策略对象 (GPO),该对象在域级别链接,或者链接到你的计算机帐户所在的组织单位。Create a new Group Policy Object (GPO) that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. 你也可以选择已部署的 GPO。Or you can select a GPO that is already deployed.

  3. 右键单击该 GPO,然后单击“编辑”打开组策略管理编辑器****。Right-click the GPO, and then click Edit to open the Group Policy Management Editor.

  4. 依次展开“计算机配置”****、“首选项”**** 和“Windows 设置”****。Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

  5. 右键单击“注册表”****,指向“新建”****,然后单击“注册表项”****。Right-click Registry, point to New, and then click Registry Item. 此时将出现“新建注册表属性”对话框****。The New Registry Properties dialog box appears.

  6. Hive 列表中,单击 " HKEY_LOCAL_MACHINE"。In the Hive list, click HKEY_LOCAL_MACHINE.

  7. 在“注册表项路径”**** 列表中浏览到“SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe”。In the Key Path list, browse to SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  8. “值名称” 框中键入 AuditLevelIn the Value name box, type AuditLevel.

  9. “值类型” 框中,通过单击选择 “REG_DWORD”In the Value type box, click to select the REG_DWORD.

  10. 值数据 框中,键入 00000008In the Value data box, type 00000008.

  11. 单击“确定”。 Click OK.

备注

要使该 GPO 生效,必须将 GPO 更改复制到域中的所有域控制器。For the GPO take effect, the GPO change must be replicated to all domain controllers in the domain.

若要在多台计算机上选择加入附加 LSA 保护,可以通过修改 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 来使用组策略的注册表客户端扩展。To opt-in for additional LSA protection on multiple computers, you can use the Registry Client-Side Extension for Group Policy by modifying HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 有关此操作的执行步骤,请参阅本主题中的如何配置凭据的附加 LSA 保护For steps about how to do this, see How to configure additional LSA protection of credentials in this topic.

选择加入之后:如何识别 lsass.exe 加载的插件和驱动程序After opting in: How to identify plug-ins and drivers loaded by the lsass.exe

可以使用事件日志来识别 LSA 保护模式下无法加载的 LSA 插件和驱动程序。You can use the event log to identify LSA plug-ins and drivers that failed to load in LSA Protection mode. 启用 LSA 受保护进程后,系统将生成事件日志,标识无法在 LSA 下加载的所有插件和驱动程序。When the LSA protected process is enabled, the system generates event logs that identify all of the plug-ins and drivers that failed to load under LSA.

分析事件 3033 和事件 3063 的结果。Analyze the results of Event 3033 and Event 3063.

完成此操作后,你可能会在事件查看器中看到以下事件: Codeintegrity/操作:After this, you may see these events in Event Viewer: Microsoft-Windows-Codeintegrity/Operational:

  • 事件 3033:此事件的记录表明,代码完整性检查确定某个进程(通常为 lsass.exe)尝试加载某个驱动程序,但该驱动程序不符合 Microsoft 签名级别要求。Event 3033: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the Microsoft signing level requirements.

  • 事件 3063:此事件的记录表明,代码完整性检查确定某个进程(通常为 lsass.exe)尝试加载某个驱动程序,但该驱动程序不符合共享区域的安全要求。Event 3063: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the security requirements for Shared Sections.

共享区域通常是运用某些编程技术的后果,这些技术允许实例数据与使用相同安全上下文的其他进程交互。Shared Sections are typically the result of programming techniques that allow instance data to interact with other processes that use the same security context. 这可能会造成安全漏洞。This can create security vulnerabilities.

如何配置凭据的附加 LSA 保护How to configure additional LSA protection of credentials

在运行 Windows 8.1 (,无论是还是不使用安全启动或 UEFI) ,可以通过执行本部分中所述的过程来进行配置。On devices running Windows 8.1 (with or without Secure Boot or UEFI), configuration is possible by performing the procedures described in this section. 对于运行 Windows RT 8.1 的设备,lsass.exe 始终启用保护,并且不能关闭。For devices running Windows RT 8.1, lsass.exe protection is always enabled, and it cannot be turned off.

在使用或不使用安全启动和 UEFI 的基于 x86 或基于 x64 的设备上On x86-based or x64-based devices using Secure Boot and UEFI or not

在使用安全启动或 UEFI 的基于 x86 或基于 x64 的设备上,使用注册表项启用 LSA 保护后,将在 UEFI 固件中设置一个 UEFI 变量。On x86-based or x64-based devices that use Secure Boot or UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. 在固件中存储设置后,无法在注册表项中删除或更改该 UEFI 变量,When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. 而只能重新设置它。The UEFI variable must be reset.

不支持 UEFI 或安全启动的基于 x86 或 x64 的设备将被禁用,无法在固件中存储 LSA 保护的配置,并且完全依赖于注册表项的存在状态。x86-based or x64-based devices that do not support UEFI or Secure Boot are disabled, cannot store the configuration for LSA protection in the firmware, and rely solely on the presence of the registry key. 在此情况下,可以使用对设备的远程访问权限来禁用 LSA 保护。In this scenario, it is possible to disable LSA protection by using remote access to the device.

可以使用以下过程来启用或禁用 LSA 保护:You can use the following procedures to enable or disable LSA protection:

在一台计算机上启用 LSA 保护的步骤To enable LSA protection on a single computer
  1. 打开注册表编辑器 (RegEdit.exe),然后导航到位于以下位置的注册表项:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

  2. 将该注册表项的值设置为:"RunAsPPL"=dword:00000001。Set the value of the registry key to: "RunAsPPL"=dword:00000001.

  3. 重新启动计算机。Restart the computer.

使用组策略启用 LSA 保护的步骤To enable LSA protection using Group Policy
  1. 打开组策略管理控制台 (GPMC)。Open the Group Policy Management Console (GPMC).

  2. 创建一个新 GPO,该 GPO 在域级别链接,或者链接到你的计算机帐户所在的组织单位。Create a new GPO that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. 你也可以选择已部署的 GPO。Or you can select a GPO that is already deployed.

  3. 右键单击该 GPO,然后单击“编辑”打开组策略管理编辑器****。Right-click the GPO, and then click Edit to open the Group Policy Management Editor.

  4. 依次展开“计算机配置”****、“首选项”**** 和“Windows 设置”****。Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

  5. 右键单击“注册表”****,指向“新建”****,然后单击“注册表项”****。Right-click Registry, point to New, and then click Registry Item. 此时将出现“新建注册表属性”对话框****。The New Registry Properties dialog box appears.

  6. 在“配置单元”**** 列表中单击“HKEY_LOCAL_MACHINE”。In the Hive list, click HKEY_LOCAL_MACHINE.

  7. 在“注册表项路径” **** 列表中,浏览到 SYSTEM\CurrentControlSet\Control\LsaIn the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.

  8. 在“值名称”**** 框中,键入 RunAsPPLIn the Value name box, type RunAsPPL.

  9. 在“值类型”**** 框中,单击“REG_DWORD”****。In the Value type box, click the REG_DWORD.

  10. 在“值数据”**** 框中,键入 00000001In the Value data box, type 00000001.

  11. 单击“确定”。 Click OK.

禁用 LSA 保护的步骤To disable LSA protection
  1. 打开注册表编辑器 (RegEdit.exe),然后导航到位于以下位置的注册表项:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

  2. 从注册表项删除以下值:"RunAsPPL"=dword:00000001。Delete the following value from the registry key: "RunAsPPL"=dword:00000001.

  3. 如果设备使用了安全启动,请使用本地安全机构 (LSA) 受保护进程选择退出工具来删除 UFEI 变量。Use the Local Security Authority (LSA) Protected Process Opt-out tool to delete the UEFI variable if the device is using Secure Boot.

    有关选择退出工具的详细信息,请参阅 从官方 Microsoft 下载中心下载本地安全机构 (LSA) 受保护进程退出For more information about the opt-out tool, see Download Local Security Authority (LSA) Protected Process Opt-out from Official Microsoft Download Center.

    有关管理安全启动的详细信息,请参阅 UEFI 固件For more information about managing Secure Boot, see UEFI Firmware.

    警告

    关闭安全启动后,将会重置所有与安全启动和 UEFI 相关的配置。When Secure Boot is turned off, all the Secure Boot and UEFI-related configurations are reset. 仅当禁用 LSA 保护的所有其他方法均已失败时,才应关闭安全启动。You should turn off Secure Boot only when all other means to disable LSA protection have failed.

验证 LSA 保护Verifying LSA protection

若要发现 Windows 启动时是否在保护模式下启动 LSA,请搜索“系统”**** 日志下的“Windows 日志”**** 中的以下 WinInit 事件:To discover if LSA was started in protected mode when Windows started, search for the following WinInit event in the System log under Windows Logs:

  • 12:LSASS.exe 已作为具有以下级别的受保护进程启动:412: LSASS.exe was started as a protected process with level: 4

其他资源Additional resources

凭据保护和管理Credentials Protection and Management

LSA 的文件签名服务File signing service for LSA