設定其他 LSA 保護Configuring Additional LSA Protection

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

本主題適用於 IT 專業人員如何設定以防止危及認證的程式碼注入本機安全性授權單位 (LSA) 處理程序額外的保護。This topic for the IT professional explains how to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.

LSA,包括本機安全性授權單位伺服器服務 (LSASS) 處理程序,驗證使用者的本機和遠端登入增益集,並執行本機安全性原則。The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Windows 8.1 作業系統提供其他 LSA 避免朗讀記憶體和注入由未受保護的處理程序的程式碼保護。The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. 新增的安全性提供的認證 LSA 儲存和管理。This provides added security for the credentials that the LSA stores and manages. LSA 的受保護的程序設定可在 Windows 8.1 中,設定,但無法在 Windows RT 8.1 中設定。The protected process setting for LSA can be configured in Windows 8.1, but it cannot be configured in Windows RT 8.1. 在 [安全開機搭配使用此設定時,停用 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 登錄鍵已經不會生效,因為達成額外的保護。When this setting is used in conjunction with Secure Boot, additional protection is achieved because disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key has no effect.

受保護的程序需求插或驅動程式Protected process requirements for plug-ins or drivers

適用於 LSA 外掛程式或驅動程式成功載入受保護的程序,必須符合下列條件:For an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:

  1. 簽章驗證Signature verification

    「受保護的模式需要的任何外掛程式載入 LSA 數位簽章使用 Microsoft 簽章。Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. 因此,將無法載入 LSA 在任何插未經簽署或不登入 Microsoft 簽章。Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail to load in LSA. 這些插範例包括智慧卡驅動程式、密碼編譯插,以及密碼篩選。Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters.

    使用 WHQL 憑證來簽署需要 LSA 插的驅動程式,例如智慧卡驅動程式。LSA plug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. 如需詳細資訊,請查看WHQL 發行簽章(Windows 驅動程式)For more information, see WHQL Release Signature (Windows Drivers).

    必須簽署 LSA 插不具有 WHQL 認證處理程序,使用檔案服務 LSA 登入LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA.

  2. 遵循 Microsoft 安全性開發週期 (SDL) 處理程序指導方針Adherence to the Microsoft Security Development Lifecycle (SDL) process guidance

    所有插必須符合適用 SDL 處理程序指導方針。All of the plug-ins must conform to the applicable SDL process guidance. 如需詳細資訊,請查看Microsoft 安全性開發週期 (SDL) 附錄For more information, see the Microsoft Security Development Lifecycle (SDL) Appendix.

    即使插的適當簽署使用 Microsoft 簽章,不符合 SDL 程序可能會導致無法載入外掛程式。Even if the plug-ins are properly signed with a Microsoft signature, non-compliance with the SDL process can result in failure to load a plug-in.

使用下面完全測試 LSA 保護會讓之前廣泛地部署的功能:Use the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature:

  • 找出的所有 LSA 插與在組織中使用的驅動程式。Identify all of the LSA plug-ins and drivers that are in use within your organization. 這包括非 Microsoft 的驅動程式或插例如智慧卡驅動程式與密碼編譯插,以及任何內部開發用來執行密碼篩選或密碼變更通知的軟體。This includes non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications.

  • 請確定的所有 LSA 插以數位簽署的憑證 Microsoft 外掛程式不會載入。Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to load.

  • 請確定所有正確簽署插,可以順利 LSA 載入並執行如預期般運作。Ensure that all of the correctly signed plug-ins can successfully load into LSA and that they perform as expected.

  • 使用稽核登找出 LSA 插和驅動程式無法執行受保護的程序。Use the audit logs to identify LSA plug-ins and drivers that fail to run as a protected process.

如何找出 LSA 插和驅動程式無法執行受保護的程序How to identify LSA plug-ins and drivers that fail to run as a protected process

這一節中所述的事件位於 [可操作 \ [應用程式及服務 Logs\Microsoft\Windows\CodeIntegrity 登入。The events described in this section are located in the Operational log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. 他們可以協助您找出 LSA 插和驅動程式載入因為登入的原因而失敗。They can help you identify LSA plug-ins and drivers that are failing to load due to signing reasons. 若要管理這些活動,您可以使用wevtutil命令列工具。To manage these events, you can use the wevtutil command-line tool. 此工具的相關資訊,請查看WevtutilFor information about this tool, see Wevtutil.

之前中選擇:如何找出插和載入 lsass.exe 驅動程式Before opting in: How to identify plug-ins and drivers loaded by the lsass.exe

您可以找出 LSA 插和驅動程式,將無法載入 LSA 保護模式中使用的稽核模式。You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. 在稽核模式時,系統將會產生事件登,找出的所有插和驅動程式,將無法載入 LSA 下,如果 LSA 保護會讓。While in the audit mode, the system will generate event logs, identifying all of the plug-ins and drivers that will fail to load under LSA if LSA Protection is enabled. 訊息是登入,而不會封鎖插或驅動程式。The messages are logged without blocking the plug-ins or drivers.

編輯登錄的 Lsass.exe 約定稽核模式一部電腦上To enable the audit mode for Lsass.exe on a single computer by editing the Registry
  1. 打開作業系統 (RegEdit.exe),並瀏覽至位於登錄鍵:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image 檔案執行 Options\LSASS.exe。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  2. 設定的值登錄鍵AuditLevel = dword:00000008Set the value of the registry key to AuditLevel=dword:00000008.

  3. 電腦重新開機。Restart the computer.

分析事件 3065 和事件 3066 的結果。Analyze the results of event 3065 and event 3066.

  • 事件 3065:此事件記錄的程式碼完整性檢查以判斷處理程序 (通常是 lsass.exe) 嘗試載入不符合安全性需求共用區段特定驅動程式。Event 3065: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a particular driver that did not meet the security requirements for Shared Sections. 不過,系統原則設定,因為影像已載入允許。However, due to the system policy that is set, the image was allowed to load.

  • 事件 3066:此事件記錄的程式碼完整性檢查以判斷處理程序 (通常是 lsass.exe) 嘗試載入未符合 Microsoft 登入層級需求特定驅動程式。Event 3066: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a particular driver that did not meet the Microsoft signing level requirements. 不過,系統原則設定,因為影像已載入允許。However, due to the system policy that is set, the image was allowed to load.

重要

這些操作事件不專時附加,在系統核心偵錯工具。These operational events are not generated when a kernel debugger is attached and enabled on a system.

如果外掛程式或驅動程式包含共用區段,3066 事件的事件 3065 登。If a plug-in or driver contains Shared Sections, Event 3066 is logged with Event 3065. 移除共用區段應該避免這兩個事件發生除非外掛程式不符合 Microsoft 登入層級的需求。Removing the Shared Sections should prevent both the events from occurring unless the plug-in does not meet the Microsoft signing level requirements.

若要以便稽核模式網域中的多部電腦,您可以使用適用於群組原則登錄 Client 端延伸部署 Lsass.exe 稽核層級登錄值。To enable audit mode for multiple computers in a domain, you can use the Registry Client-Side Extension for Group Policy to deploy the Lsass.exe audit-level registry value. 您需要修改 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image 檔案執行 Options\LSASS.exe 登錄金鑰。You need to modify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe registry key.

若要建立 GPO AuditLevel 值設定To create the AuditLevel value setting in a GPO
  1. 打開群組原則管理主控台 (GPMC)。Open the Group Policy Management Console (GPMC).

  2. 建立新群組原則物件 (GPO) 網域層級的連結或組織單位,其中包含您電腦帳號的連結。Create a new Group Policy Object (GPO) that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. 或者,您可以選取 GPO 已經部署。Or you can select a GPO that is already deployed.

  3. GPO 上按一下滑鼠右鍵,然後按一下編輯打開群組原則管理編輯器。Right-click the GPO, and then click Edit to open the Group Policy Management Editor.

  4. 展開電腦設定,展開 [的喜好設定,然後展開 [的 Windows 設定Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

  5. 以滑鼠右鍵按一下登錄,指向 [,然後按一下 [登錄項目Right-click Registry, point to New, and then click Registry Item. 新登錄屬性對話方塊中出現。The New Registry Properties dialog box appears.

  6. Hive清單中,按跳。In the Hive list, click HKEY_LOCAL_MACHINE.

  7. 鍵路徑清單中,瀏覽] SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image 檔案執行 Options\LSASS.exeIn the Key Path list, browse to SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

  8. 值名稱方塊中,輸入AuditLevelIn the Value name box, type AuditLevel.

  9. 值類型方塊中,按一下以選取呼叫完成In the Value type box, click to select the REG_DWORD.

  10. 數值資料方塊中,輸入00000008In the Value data box, type 00000008.

  11. 按一下[確定]Click OK.

注意

Gpo 才會生效,必須網域中的所有網域控制站都複製 GPO 變更。For the GPO take effect, the GPO change must be replicated to all domain controllers in the domain.

來選擇中的多部電腦上的其他 LSA 保護,您可以使用登錄 Client 端延伸適用於群組原則來修改 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa。To opt-in for additional LSA protection on multiple computers, you can use the Registry Client-Side Extension for Group Policy by modifying HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 了解如何執行此步驟,請查看如何設定額外的 LSA 保護認證的本主題中。For steps about how to do this, see How to configure additional LSA protection of credentials in this topic.

之後中選擇:如何找出插和載入 lsass.exe 驅動程式After opting in: How to identify plug-ins and drivers loaded by the lsass.exe

找出 LSA 插和驅動程式無法載入 LSA 保護模式,您可以使用事件登入。You can use the event log to identify LSA plug-ins and drivers that failed to load in LSA Protection mode. 當支援的受保護的 LSA 程序時,系統會產生找出的所有插和驅動程式無法在 LSA 載入的事件登。When the LSA protected process is enabled, the system generates event logs that identify all of the plug-ins and drivers that failed to load under LSA.

分析事件 3033 和事件 3063 的結果。Analyze the results of Event 3033 and Event 3063.

  • 事件 3033:此事件記錄的程式碼完整性檢查判斷處理程序 (通常是 lsass.exe) 嘗試載入的驅動程式,不符合 Microsoft 登入層級的需求。Event 3033: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the Microsoft signing level requirements.

  • 事件 3063:此事件記錄的程式碼完整性檢查以判斷處理程序 (通常是 lsass.exe) 嘗試載入的驅動程式,不符合安全性需求共用區段。Event 3063: This event records that a code integrity check determined that a process (usually lsass.exe) attempted to load a driver that did not meet the security requirements for Shared Sections.

共用的章節通常程式設計技術,允許執行個體資料與使用的相同的安全性層級的其他處理程序進行互動的結果。Shared Sections are typically the result of programming techniques that allow instance data to interact with other processes that use the same security context. 這可以建立安全性弱點。This can create security vulnerabilities.

如何設定認證其他 LSA 保護How to configure additional LSA protection of credentials

在裝置上執行 Windows 8.1(含或 UEFI 安全開機不),設定可能是執行此一節中所述的程序。On devices running Windows 8.1 (with or without Secure Boot or UEFI), configuration is possible by performing the procedures described in this section. 針對執行 Windows RT 8.1 的裝置,一律會支援 lsass.exe 保護,並不會被關閉。For devices running Windows RT 8.1, lsass.exe protection is always enabled, and it cannot be turned off.

X86 型或 x64 型或不使用安全開機和 UEFI 的裝置On x86-based or x64-based devices using Secure Boot and UEFI or not

X86 型或 x64 型在裝置上使用,以及 UEFI 安全開機的 UEFI 變數設定 UEFI 韌體中使用登錄鍵可以 LSA 保護。On x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when LSA protection is enabled by using the registry key. 設定會儲存在韌體中,無法刪除或變更登錄鍵 UEFI 變數。When the setting is stored in the firmware, the UEFI variable cannot be deleted or changed in the registry key. UEFI 變數必須重設。The UEFI variable must be reset.

x86 型或 x64 型不支援 UEFI 或安全開機的裝置已停用,無法儲存在韌體中的 LSA 保護的設定和只依賴登錄金鑰的狀態。x86-based or x64-based devices that do not support UEFI or Secure Boot are disabled, cannot store the configuration for LSA protection in the firmware, and rely solely on the presence of the registry key. 在本案例中,就可以使用裝置的遠端存取停用 LSA 保護。In this scenario, it is possible to disable LSA protection by using remote access to the device.

您可以使用下列程序,讓或停用 LSA 保護:You can use the following procedures to enable or disable LSA protection:

若要讓 LSA 一部電腦上的保護To enable LSA protection on a single computer
  1. 打開作業系統 (RegEdit.exe),並瀏覽至位於登錄鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

  2. 設定的值登錄鍵: [RunAsPPL」= dword:00000001。Set the value of the registry key to: "RunAsPPL"=dword:00000001.

  3. 電腦重新開機。Restart the computer.

若要讓 LSA 保護使用群組原則To enable LSA protection using Group Policy
  1. 打開群組原則管理主控台 (GPMC)。Open the Group Policy Management Console (GPMC).

  2. 建立新的 GPO 連結網域層級,或包含您電腦帳號組織單位,連結。Create a new GPO that is linked at the domain level or that is linked to the organizational unit that contains your computer accounts. 或者,您可以選取 GPO 已經部署。Or you can select a GPO that is already deployed.

  3. GPO 上按一下滑鼠右鍵,然後按一下編輯打開群組原則管理編輯器。Right-click the GPO, and then click Edit to open the Group Policy Management Editor.

  4. 展開電腦設定,展開 [的喜好設定,然後展開 [的 Windows 設定Expand Computer Configuration, expand Preferences, and then expand Windows Settings.

  5. 以滑鼠右鍵按一下登錄,指向 [,然後按一下 [登錄項目Right-click Registry, point to New, and then click Registry Item. 新登錄屬性對話方塊中出現。The New Registry Properties dialog box appears.

  6. Hive清單中,按In the Hive list, click HKEY_LOCAL_MACHINE.

  7. 鍵路徑清單中,瀏覽] SYSTEM\CurrentControlSet\Control\LsaIn the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.

  8. 值名稱方塊中,輸入RunAsPPLIn the Value name box, type RunAsPPL.

  9. 值類型方塊中,按呼叫完成In the Value type box, click the REG_DWORD.

  10. 數值資料方塊中,輸入00000001In the Value data box, type 00000001.

  11. 按一下[確定]Click OK.

若要停用 LSA 保護To disable LSA protection
  1. 打開作業系統 (RegEdit.exe),並瀏覽至位於登錄鍵:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa。Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

  2. 從登錄鍵 delete 下列值:「RunAsPPL「= dword:00000001。Delete the following value from the registry key: "RunAsPPL"=dword:00000001.

  3. 使用 [本機安全性授權單位 (LSA) 受保護的處理程序退出工具 delete 如果裝置使用 [安全開機的 UEFI 變數。Use the Local Security Authority (LSA) Protected Process Opt-out tool to delete the UEFI variable if the device is using Secure Boot.

    適用於退出工具的相關詳細資訊,請查看下載本機安全性授權單位 (LSA) 受保護的處理程序退出官方的 Microsoft 下載中心」的For more information about the opt-out tool, see Download Local Security Authority (LSA) Protected Process Opt-out from Official Microsoft Download Center.

    如需有關管理安全開機的詳細資訊,請查看UEFI 韌體For more information about managing Secure Boot, see UEFI Firmware.

    警告

    當安全開機已關閉時,則會重設所有的安全開機和相關 UEFI 設定。When Secure Boot is turned off, all the Secure Boot and UEFI-related configurations are reset. 停用 LSA 保護所有其他方式失敗時,才,您應該會關閉安全開機。You should turn off Secure Boot only when all other means to disable LSA protection have failed.

確認 LSA 保護Verifying LSA protection

若要探索如果 LSA 開始使用受保護模式開始使用 Windows 時,搜尋下列 WinInit 事件在系統在登入Windows 登:To discover if LSA was started in protected mode when Windows started, search for the following WinInit event in the System log under Windows Logs:

  • 12: LSASS.exe 受保護層級的處理程序以開始使用:412: LSASS.exe was started as a protected process with level: 4

其他資源Additional resources

認證保護與管理Credentials Protection and Management

登入服務 LSA 檔案File signing service for LSA