How about protecting LSA ?

Discussion in 'Ghost Security Suite (GSS)' started by tuatara, May 30, 2005.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    XP registry is not my specialisation, so perhaps someone else can shine a light on this.

    At the time i did some study on this i found that the LSA
    or Local Security Authority keys where holding all of the XP's security
    settings of your system..(early XP days)

    Is this still the case ?

    And how should this be protected?

    Something like this ?:

    hkey_local_machine\system\currentcontrolset\control\lsa\* | * | Key + Value | Mod Key, Mod Value | Ask User
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Absolutely!

    It's already in the ghstfile I uploaded. Like so:

    hkey_local_machine\system\currentcontrolset\control\lsa | * | Value | Mod Key, Mod Value | Ask User

    Cheers,
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  4. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Sorry Tony,

    i must have overlooked it.

    So it still is usefull to protect these even with SP2 etc?

    thanks

    Tuatara

    btw i did a search on 'lsa' in this forum
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  6. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    hm.. perhaps it is better to look at the rest of my dusty notes,
    regarding registry riscs... :)

    It must be SP#327652645 (read Service Pack number ...) that will solve these security holes ..


    MS has more then 30 years software experience (selling/building)

    :D
     
  7. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    More questions in the same area:-

    Besides HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,
    is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA \Notification Packages important in XP? I saw an old article in http://support.microsoft.com/support/kb/articles/q99/8/85.asp that this may be an entry point to snoop for password changes.

    I have started to monitor for changes in the above registry keys, are there any other sub keys of Lsa that i should be monitoring?

    Many tnx in advance.
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In fact we're currently thinking we might as well protect the entire LSA key, subkeys and all.

    I therefore recommend adding a wildcard for the LSA key itself

    Code:
    hkey_local_machine\system\controlset???\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\system\currentcontrolset\control\lsa* | * | Key + Value | Mod Key, Mod Value | Ask User
    That should take care of it.

    And, lest I forget, thanks for bringing this up! :)
     
    Last edited: Jun 11, 2005
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Unfortunately 3 letter searches will come up empty, there are simply too many 3 letter words available.

    Cheers :D
     
Thread Status:
Not open for further replies.