LSA protection and attack surface rules

Peter 0 Reputation points
2023-11-11T19:15:16.79+00:00

Hi,

We are implemting defender ssecurity.
After putting ASR in audit we start to follow the recommandations.

After son time we see the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is not applicable.

After a long search I found the cause.

The recommandation "Enable 'Local Security Authority (LSA) protection'" lat me c reate a registry setting. "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL" to the value 1.

After deleting the registry key the ASR become applicable again.

I wondering two recommandations whice don't work toghter.

Whice way is the right one to follow The ASR rule or the registry setting?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
365 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 9,790 Reputation points Microsoft Vendor
    2023-11-13T02:24:17.16+00:00

    @Peter,Thanks for posting in Q&A.

    From you description, I know that you want to know whether LSA protection and attack surface rules can work together.

    Based on my research, I found that if you enable LSA protection rules alongside ASP rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)', the rule will not provide additional protection as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide#is-it-a-good-idea-to-enable-the-rule---block-credential-stealing-from-the-windows-local-security-authority-subsystem--lsass-exe----alongside-lsa-protection-

    We suggest that you can chose one of them to defender your device.

    Hope this can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments