Статус: Новичок
Группы: Участники
Зарегистрирован: 29.04.2022(UTC) Сообщений: 2
|
Добрый день, при включении защиты LSA на рабочей станции при установленном CryptoPro 5.0 (разных версий, включая последнюю сборку) перестают работать сетевые подключения и RDP к целевому компьютеру. В соответствии со статьей Microsoft https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protectionFor an LSA plug-in or driver to successfully load as a protected process, it must meet the following criteria:Signature verification Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail to load in LSA. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters. LSA plug-ins that are drivers, such as smart card drivers, need to be signed by using the WHQL Certification. For more information, see WHQL Release Signature. LSA plug-ins that do not have a WHQL Certification process, must be signed by using the file signing service for LSA. Recommended practicesUse the following list to thoroughly test that LSA protection is enabled before you broadly deploy the feature: Identify all of the LSA plug-ins and drivers that are in use within your organization. This includes non-Microsoft drivers or plug-ins such as smart card drivers and cryptographic plug-ins, and any internally developed software that is used to enforce password filters or password change notifications. Ensure that all of the LSA plug-ins are digitally signed with a Microsoft certificate so that the plug-in will not fail to load. ======================= После включения аудита lsass.exe (до включения защиты LSA) в журнале есть следующие события (ID 3066): Код:Level,Date and Time,Source,Event ID,Task Category
Information,29.04.2022 16:04:47,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\cpmsi.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Crypto Pro\CSP\cpsuprt.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Crypto Pro\CSP\cpcspi.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Crypto Pro\CSP\cpcsp.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\cpcng.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\cpsspap.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\cpschan.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\cpkrb.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\cpadvai.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\detoured.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
Information,29.04.2022 16:04:37,Microsoft-Windows-CodeIntegrity,3066,(1),"Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\Crypto Pro\AppCompat\cpcrypt.dll that did not meet the Microsoft signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load."
В первую очередь полагаю, что проблема в cpsspap.dll Планируется ли решение? Для корпоративных сред использование дополнительной защиты LSA критично.
|