The Microsoft Attack Surface Reduction (ASR) rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" has highlighted that ncpa.exe is making calls to LSASS, or more specifically is trying to access LSASS.EXE process memory (LSASS: Local Security Authority Subsystem Service, a process in Windows operating systems responsible for enforcing security policies, authenticating users, and managing security logs).
Could you let me know if Nagios is simply enumerating LSASS, or what the real-world impact is in functionality? To date Nagios appears to be operating OK with the ASR rule in Block mode, but the Nagios client is creating noise and I would like to undersstand it's intent with LSASS, or perhaps it may be that some functionality that may not be working now, that hasn't surfaced yet. Thanks.
ASR rule details
https://learn.microsoft.com/en-us/defen ... -subsystem
Nagios requirement of LSASS access
Re: Nagios requirement of LSASS access
ipbbw,
To my knowledge, nothing we ship with Nagios XI will interact with lsass.exe out of the box. I'm guessing either:
1. Some Windows security policy is routing ncpa.exe through lsass.exe to check permissions, or...
2. You have a homebrewed plugin - perhaps acquired from the Nagios Exchange - that will monitor lsass.exe in some manner
Windows is not my primary domain of expertise, so I could be off here. But I am not aware of anything we ship with XI reaching out to the aforementioned process.
Best Regards,
Cory Norell
To my knowledge, nothing we ship with Nagios XI will interact with lsass.exe out of the box. I'm guessing either:
1. Some Windows security policy is routing ncpa.exe through lsass.exe to check permissions, or...
2. You have a homebrewed plugin - perhaps acquired from the Nagios Exchange - that will monitor lsass.exe in some manner
Windows is not my primary domain of expertise, so I could be off here. But I am not aware of anything we ship with XI reaching out to the aforementioned process.
Best Regards,
Cory Norell
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Nagios requirement of LSASS access
Hello @ipbbw,
NCPA has an endpoint that checks the running processes on your machine. I think this may be what's causing it to try and access LSASS.exe as it is checking all running processes/services.
NCPA has an endpoint that checks the running processes on your machine. I think this may be what's causing it to try and access LSASS.exe as it is checking all running processes/services.
Actively advancing awesome answers with ardent alliteration, aptly addressing all ambiguities. Amplify your acumen and avail our amicable assistance. Eagerly awaiting your astute assessments of our advice.