How about protecting LSA ?

XP registry is not my specialisation, so perhaps someone else can shine a light on this.

At the time i did some study on this i found that the LSA
or Local Security Authority keys where holding all of the XP's security
settings of your system..(early XP days)

Is this still the case ?

And how should this be protected?

Something like this ?:

hkey_local_machine\system\currentcontrolset\control\lsa\* | * | Key + Value | Mod Key, Mod Value | Ask User

 

Absolutely!

It's already in the ghstfile I uploaded. Like so:

hkey_local_machine\system\currentcontrolset\control\lsa | * | Value | Mod Key, Mod Value | Ask User

Cheers,

 

BTW, here's a link to the post in question:

https://www.wilderssecurity.com/showpost.php?p=473228&postcount=108

 

Sorry Tony,

i must have overlooked it.

So it still is usefull to protect these even with SP2 etc?

thanks

Tuatara

btw i did a search on 'lsa' in this forum

 

It's still worth protecting. And don't forget that there are millions of unpatched systems around (although I will admit that not too many of those folks will be running RegDefend... LOL

But take for example a look at this Trend Micro write up:

http://fr.trendmicro-europe.com/smb/security_info/ve_detail.php?id=65143&VName=WORM_SDBOT.VS&VSect=T

There are dozens of worms trying to hack in there...

 

hm.. perhaps it is better to look at the rest of my dusty notes,
regarding registry riscs...

It must be SP#327652645 (read Service Pack number ...) that will solve these security holes ..


MS has more then 30 years software experience (selling/building)

 

More questions in the same area:-

Besides HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,
is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages important in XP? I saw an old article in http://support.microsoft.com/support/kb/articles/q99/8/85.asp that this may be an entry point to snoop for password changes.

I have started to monitor for changes in the above registry keys, are there any other sub keys of Lsa that i should be monitoring?

Many tnx in advance.

 

In fact we're currently thinking we might as well protect the entire LSA key, subkeys and all.

I therefore recommend adding a wildcard for the LSA key itself

Code:

hkey_local_machine\system\controlset???\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
hkey_local_machine\system\currentcontrolset\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User

That should take care of it.

And, lest I forget, thanks for bringing this up!

 

Unfortunately 3 letter searches will come up empty, there are simply too many 3 letter words available.

Cheers