🔐Local Security Authority (LSA)

What is Local Security Authority (LSA) ?

1. Understanding Local Security Authority (LSA)

2. How it Works

3. LSA in Windows 10 and 11

4. Components of LSA

5. LSA Security Mechanisms

6. LSA and Active Directory

7. Best Practices for Managing LSA Security

8. References

---

Understanding Local Security Authority (LSA)

Definition and Key Responsibilities

• The Local Security Authority (LSA) is a critical component within the Microsoft Windows operating system, tasked with enforcing security policies on the system.

• It acts as the gatekeeper for accessing the computer, handling user logins, authentication, and authorization processes.

• The LSA is responsible for verifying user credentials when they attempt to access the system and determines whether they should be granted access based on configured policies.

• Additionally, it manages password changes and creates access tokens, which define the resources and operations the user can access and perform during their session.

• The Local Security Authority (LSA) is responsible for managing interactive logons to the system.

LSA – Local Security Authority

Historical Context and Evolution

Historically, the LSA has been a cornerstone of Windows security since its early versions, evolving alongside the operating system to address the growing complexity and sophistication of cybersecurity threats. In earlier Windows versions, the LSA’s primary focus was on managing local and network logins using various authentication protocols. Over time, as Windows transitioned from a predominantly standalone operating system to a networked environment, the role of the LSA expanded to include more advanced security mechanisms, such as Kerberos protocol support for domain environments and integration with Active Directory.

---

How it Works

How it Works(Local Authentication)

• When a user attempts to log on locally to the system by entering a username and password in the logon dialog box, the logon process invokes the LSA, which passes the user’s credentials to the Security Accounts Manager (SAM), which manages the account information stored in the local SAM database.

• The SAM compares the user’s credentials with the account information in the SAM database to determine whether the user is authorized to access the system. If it finds the user account information in the SAM database, the SAM authenticates the user by creating a logon session and returning the security identifier (SID) of the user and the SIDs of global groups of which the user is a member to the LSA.

• The LSA then grants the user an access token that contains the user’s individual and group SIDs and their rights; these enable the user to access resources for which he or she has permissions.

Steps of local authentication :

1. A user provides their username and password during login.

2. The LSA (via the LSASS process) receives the credentials.

3. The LSA uses the MSV1_0 authentication package to verify the credentials against the local SAM database.

4. If the credentials match, the user is granted access; otherwise, access is denied.

---

How it Works(Token Generation)

• After successful authentication, the LSA generates an access token for the user. This token contains the user’s Security Identifier (SID), group SIDs, and privileges.

Purpose of the token

• The token is attached to the user’s session and is used by the system to enforce access control on local resources (e.g., files, folders, and registry keys).

• It ensures that the user can only access resources they are authorized to use.

---

How it Works(Enforcement of Local Security Policies)

• The LSA enforces local security policies configured on the machine.

These policies are stored in the local registry and include:

• Password Policies:

  • Minimum password length.

  • Password complexity requirements.

  • Password expiration and history.

• Account Lockout Policies:

  • Number of failed login attempts before an account is locked.

  • Duration of the lockout.

• User Rights Assignment:

  • Determines which users or groups have specific privileges (e.g., "Log on locally," "Shut down the system," "Change the system time").

• Audit Policies:

  • Specifies which security events are logged (e.g., logon attempts, object access, privilege use).

• These policies are configured using the Local Security Policy tool (secpol.msc) or the Group Policy Editor (gpedit.msc) on the local machine.

---

How it Works(Management of Local Accounts and Groups)

The LSA manages local user accounts and groups stored in the SAM database. This includes:

• Creating, modifying, and deleting local user accounts.

• Managing group memberships (e.g., adding users to the Administrators or Users group).

• Storing and verifying user credentials (e.g., password hashes).

---

How it Works(Storage and Protection of LSA Secrets)

The LSA stores sensitive information, known as LSA secrets, in a secure portion of the registry. These secrets include:

• Service Account Passwords: Passwords for services configured to run under specific user accounts.

• Encryption Keys: Keys used by the system for encryption and decryption.

• Cached Credentials: Credentials for accessing shared resources on other workgroup computers.

🎯 LSA secrets are encrypted and protected by the system, but they can be targeted by attackers using tools like Mimikatz

---

How it Works(Auditing and Logging)

The LSA is responsible for auditing security events on the local machine. This includes logging events such as:

• Successful and failed logon attempts.

• Changes to user accounts or groups.

• Access to sensitive resources (if auditing is enabled).

These logs are stored in the Security Event Log and can be viewed using the Event Viewer (eventvwr.msc).

---

How it Works(Handling Interactive and Network Logons)

In a workgroup, the LSA handles both interactive logons (local logins) and network logons (accessing shared resources on other workgroup computers).

• Interactive Logons:

  • The user logs in directly to the local machine.

  • The LSA verifies the credentials against the local SAM database.

• Network Logons:

  • When a user accesses a shared resource (e.g., a file or printer) on another workgroup computer, the LSA verifies the credentials provided by the remote machine.

  • The LSA may cache credentials for future use.

---

How it Works(Supporting Workgroup-Specific Scenarios)

In a workgroup, the LSA also handles scenarios unique to non-domain environments, such as:

• Peer-to-Peer Resource Sharing:

  • When a user accesses a shared folder or printer on another workgroup computer, the LSA verifies the credentials provided by the remote machine.

• Cached Credentials:

  • If a user has previously accessed a shared resource, the LSA may cache their credentials to simplify future access.

---

Components of LSA

Breakdown of LSA Architecture

• The architecture of the Local Security Authority (LSA) in Windows is designed to be both robust and flexible, enabling it to manage various security-related functionalities efficiently.

• At its core, the LSA consists of the Local Security Authority Subsystem Service (LSASS), which runs as a process on Windows systems.

• This service is responsible for enforcing security policies, handling authentication and authorization processes, and managing credentials and access tokens.

The LSA architecture is modular, comprising several components that interact with each other to provide comprehensive security services:

LSA Security Mechanisms

Content for this section...

LSA and Active Directory

Content for this section...

Best Practices for Managing LSA Security

Content for this section...

References

Content for this section...