Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Saturday, May 16, 2020 3:24 PM
Hi,
I wish to protect LSASS on 2016 Server Standard.
/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11)
But the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe
does not exist?
How to protect on 2016 Server?
Thanks, Adrian
Monday, May 18, 2020 6:10 AM ✅Answered
Hey dude!
Thanks for posting in our TechNet forum.
After we carefully read the link you provided, there are something not the clearly with in it, for example, they always said that point to the registry path till lsass.exe, but didn't tell where exactly this key came from, because normally there isn't a regekey called lsass.exe in our environment.
After some searching and testing, we found this atricle for telling you how to configure lsass with GPO step by step in detail: https://www.petri.com/lsa-protected-mode-troubleshooting-tips-server-2012-r2-windows-8-1
Note: This is a third-party link and we do not have any guarantees on this website. This is just for your convenience. And Microsoft does not make any guarantees about the content.
In fact, there are similar steps in the article you provided, but when you create a registry key through GPO, it always prompts you to select the specific path of lsass, but our computer usually does not have the lsass registry path, so we are not allowed to select this registry path, we need to manually enter and create and deploy it. After that, the registry key will appear on the computer affected by the group policy object.
Hopefully the above information will help you.
Sincerely Yours
Charles
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, May 20, 2020 6:27 AM
Greetings!
As we haven’t heard from you for a few days, may I confirm with you on the latest status? Was the above information helpful to you?
Much appreciated for your response in advance.
Sincerely Yours,
Charles
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Tuesday, May 26, 2020 8:40 AM
Hi Charles,
The link you provided nailed it.
I only had to create missing registry entry.
Now mimizatz skeleton command fails:
>>mimikatz # misc::skeleton
>>[KDC] data
>>ERROR kuhl_m_misc_skeleton ; Second pattern not found
Thank you, Adrian