Closed phantomord closed 6 months ago
ryanries
commented
6 months ago Not a bug. This is by design. When RunAsPPL is configured, lsass will only load modules that are digitally signed by Microsoft. More info: https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/file-signing-reqs
disassembledd
commented
4 months ago Apologies for reviving this @ryanries. I am attempting to build a password filter of my own and have run into trouble when coming time to test. RunAsPPL is set to 0, I have used bcdedit in an attempt to set TESTSIGNING and NOINTEGRITYCHECKS both on, and I have self-signed my DLL. Even after all of that, LSASS still refuses to load my password filter. Would you happen to have any other ideas?
ryanries
commented
4 months ago @disassembledd I do have an idea: Recent versions of Windows have started enforcing LSA Protection with a UEFI variable. What that means is RunAsPPL will persist on the machine regardless of if you switch it off in the Windows registry. You have to disable it in the UEFI. Practically the good thing about this is that it requires physical presence to disable RunAsPPL now. Downside is that it can be a pain in the ass. You have to run a special UEFI binary at boot to turn it off. Read:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn408187(v=ws.11) Especially this part: https://www.microsoft.com/en-us/download/details.aspx?id=40897
Hi, I've been trying to implementing PassFiltEx as a password protection in my domain. In my LAB for fresh installed and basic AD configuration it runs perfectly without any issue. But when I enable LSA protection (RunAsPPL), PassFiltEx did not work. Is anyone ever encounter this? Is there any workaround for this?
Thanks. P.S. I'm using Windows Server 2019 as a domain controller.