How about protecting LSA ?

Discussion in 'Ghost Security Suite (GSS)' started by tuatara, May 30, 2005.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    773
    XP registry is not my specialisation, so perhaps someone else can shine a light on this.

    At the time i did some study on this i found that the LSA
    or Local Security Authority keys where holding all of the XP's security
    settings of your system..(early XP days)

    Is this still the case ?

    And how should this be protected?

    Something like this ?:

    hkey_local_machine\system\currentcontrolset\control\lsa\* | * | Key + Value | Mod Key, Mod Value | Ask User
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    Absolutely!

    It's already in the ghstfile I uploaded. Like so:

    hkey_local_machine\system\currentcontrolset\control\lsa | * | Value | Mod Key, Mod Value | Ask User

    Cheers,
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    773
    Sorry Tony,

    i must have overlooked it.

    So it still is usefull to protect these even with SP2 etc?

    thanks

    Tuatara

    btw i did a search on 'lsa' in this forum
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
  6. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    773
    hm.. perhaps it is better to look at the rest of my dusty notes,
    regarding registry riscs... :)

    It must be SP#327652645 (read Service Pack number ...) that will solve these security holes ..


    MS has more then 30 years software experience (selling/building)

    :D
     
  7. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    More questions in the same area:-

    Besides HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,
    is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages important in XP? I saw an old article in http://support.microsoft.com/support/kb/articles/q99/8/85.asp that this may be an entry point to snoop for password changes.

    I have started to monitor for changes in the above registry keys, are there any other sub keys of Lsa that i should be monitoring?

    Many tnx in advance.
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,360
    Location:
    The Netherlands
    In fact we're currently thinking we might as well protect the entire LSA key, subkeys and all.

    I therefore recommend adding a wildcard for the LSA key itself

    Code:
    hkey_local_machine\system\controlset???\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\system\currentcontrolset\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
    That should take care of it.

    And, lest I forget, thanks for bringing this up! :)
     
    Last edited: Jun 11, 2005
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Unfortunately 3 letter searches will come up empty, there are simply too many 3 letter words available.

    Cheers :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.