LSA Auditing

Glenn Maxwell 10,551 Reputation points
2024-05-20T19:43:17.6+00:00

Hi All

I have the following requirement to enable (Enforce LSA Auditing) through GPO on all my servers. I have an OU with a couple of test VMs, and I have created a GPO and enabled the two policies below:

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > Lsass.exe audit mode > Enabled

To confirm this policy is working, I need to generate Event IDs: 3063, 3065, 3033, and 3066. How can I test this GPO? Specifically, how can I generate these event IDs on the test VMs, and where should I check for these event IDs? Will they appear in the System event logs?

Computer Configuration > Administrative Templates > SCM: Pass the Hash Mitigations > LSA Protection > Enabled

How can I test the LSA Protection policy by generating relevant events?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,537 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,413 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,398 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,053 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,760 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yanhong Liu 3,660 Reputation points Microsoft Vendor
    2024-05-21T06:00:23.88+00:00

    Hello,

    Thank you for posting in Q&A forum.

    To generate relevant events for testing LSA protection, you can enable all plug-ins and drivers that cannot be loaded under LSA when LSA protection is enabled. Please refer to the following link: Configure added LSA protection | Microsoft Learn

    Configuring Additional LSA Protection | Microsoft Learn

    LSA events are located in the Operations Log under Applications and Services Logs\Microsoft\Windows\CodeIntegrity. They can help you identify LSA plug-ins and drivers that cannot be loaded due to signature reasons. To manage these events, you can use the wevtutil command-line tool. Recommended reference links: Wevtutil | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful