Windows Server 2012 R2 and Windows 8.1 include updates to the Local Security Authority (LSA), which is responsible for processing local and remote user logins, to help mitigate Pass the Hash (PtH) attacks, in which hackers attempt to capture user password hashes from memory to log in without knowing plaintext passwords.
In Windows 8.1 and Server 2012 R2, lsass.exe can be made a protected process, and hashes are no longer stored in memory to make it much harder for hackers to compromise user credentials. With the exception of Windows 8.1 RT, this new functionality is disabled by default and must be enabled in the registry or using Group Policy. Lsass.exe does not run as a protected process out-of-the-box, because it might cause compatibility problems with some applications, so you must test thoroughly before enabling LSA protection.
If computers in your organizations have Secure Boot enabled, i.e. they are running Windows 8.1 or Server 2012 R2 with Secure Boot enabled in the UEFI firmware, you should be aware that when the registry key for LSA protection is set, either using a registry editing tool or Group Policy, the LSA protection setting is also stored in the UEFI firmware and cannot later be modified in Windows. At the time of writing this article, there is no tool to modify this setting in the UEFI firmware, so once set in Windows, there is no means to disable LSA protection if Secure Boot is enabled.
To enable LSA protection in Windows 8.1 or Windows Server 2012 R2, log on to the device as a local administrator:
If you want to be sure that lsass.exe is running as a protected process, follow the steps below.