Support running LPP in LSA protected mode

[AaronG1234]

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
(emphasis mine)

Signature verification

Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail to load in LSA. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters.

anyway you could get your DLL signed so that it would be usable with LSA Protected "Mode"

[ryannewington]

Hi @AaronG1234,

I've been wanting to do this for a while, but unfortunately an EV code signing certificate is required for this, and they are not cheap. I'll take another look around and see if I can find one affordable, or a CA that offers cheaper rates for open source projects.

Ryan

[AaronG1234]

digicert has a hidden special, accessable from https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate#step-2-buy-a-new-code-signing-certificate https://www.digicert.com/friends/sysdev/ (click Ok button) 104USD per year for EV

…

________________________________ From: Ryan Newington <[email protected]> Sent: Monday, July 15, 2019 7:14:31 PM To: lithnet/ad-password-protection Cc: Aaron Galbraith; Mention Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Doesn't work with LSA Protected (#15) Hi @AaronG1234 [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_AaronG1234&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=UxN6XakhxeD6JV4dDqB1qhohwOgHCEsbupnLiTes1W4&s=z4Dk91UdLZggvD4wp76kuj7hEZBsXqj4K7sHlWndAqA&e=>, I've been wanting to do this for a while, but unfortunately an EV code signing certificate is required for this, and they are not cheap. I'll take another look around and see if I can find one affordable, or a CA that offers cheaper rates for open source projects. Ryan — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3QLCDTNP3NIJV7O7QTP7UOHPA5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ7MS3A-23issuecomment-2D511625580&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=UxN6XakhxeD6JV4dDqB1qhohwOgHCEsbupnLiTes1W4&s=qscPEDRsQ-PIfcfvaUaRmY6qfOvtbnwWf3XqxAeFf-k&e=>, or mute the thread [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3RXXMLX4VCQDBBKM3LP7UOHPANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=UxN6XakhxeD6JV4dDqB1qhohwOgHCEsbupnLiTes1W4&s=Y2pprKqdCApauB5i3Jn_NUvclEzDO2_knE8Kqe-zOjQ&e=>.

---------------------------------------------------------------------- NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

---------------------------------------------------------------------- This Message Was Secured With The BCI PPS Email System

[ryannewington]

Yeah I found that and just got in contact with them for going through the process to validate Lithnet. I use them for the current code-signing certificate, so hopefully it's a straight forward process to upgrade lithnet's org verification level to the level required for EV. EV certs require a hardware token though, so provided all goes well, they need to ship that out and will take a few weeks.

[ryannewington]

It looks like we should be able to make this happen. We've set up a page to gather donations to help cover the cost of the EV (https://lithnet.io/donate). I'll keep you posted on the progress.

[AaronG1234]

Thanks so much for considering this... I wrote my own lsa notification filter about a year ago that uses pwnedpasswords api. but when we moved to lsa protected, it wouldn't load. (btw i put in a feature request for allowing api.pwnedpasswords.com as an alternative to downloading the hashes)

…

________________________________ From: Ryan Newington <[email protected]> Sent: Friday, July 19, 2019 10:41:19 PM To: lithnet/ad-password-protection Cc: Aaron Galbraith; Mention Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Support running LPP in LSA protected mode (#15) It looks like we should be able to make this happen. We've set up a page to gather donations to help cover the cost of the EV (https://lithnet.io/donate [lithnet.io]<https://urldefense.proofpoint.com/v2/url?u=https-3A__lithnet.io_donate&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=tMeYV6ln8Yt-6fZsJcpD8Uzz_qWE2BIIMSo72HGbvQY&e=>). I'll keep you posted on the progress. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3W5NBCU2XQXPDTDW7DQAKJO7A5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NGN3Y-23issuecomment-2D513435375&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=br0xx8W4iMZ32EgjVl_XCFyhFfSNXTaHBCse4O08BFI&e=>, or mute the thread [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3Q2ZQPOT4HXO3JIXFLQAKJO7ANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=qjoeSH23S39kopEjhfClhvvCOXSD1QxC3oaJRG51Gus&e=>.

---------------------------------------------------------------------- NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

---------------------------------------------------------------------- This Message Was Secured With The BCI PPS Email System

[ryannewington]

@AaronG1234 we were able to raise the money, thanks to some generous donations, including yours. Thankyou for your contribution.

re: the feature request, that's a good idea, i can look to add that in. Do you mind raising a new issue for it?

[AaronG1234]

i did already. (also i have code for it, however it is really fundamental idea and as I look at your source code I dont think you need much 'splaining...and I am not a C programmer by heart ... because I hate how convoluted strings are in C... ... but dont tell anyone)

…

________________________________ From: Ryan Newington <[email protected]> Sent: Saturday, July 20, 2019 6:19:28 PM To: lithnet/ad-password-protection <[email protected]> Cc: Aaron Galbraith <[email protected]>; Mention <[email protected]> Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Support running LPP in LSA protected mode (#15) @AaronG1234 [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_AaronG1234&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=bhO29ZsxrIrNaa9Epcg4FZx4j6DXJzoTU03bAURxSiw&e=> we were able to raise the money, thanks to some generous donations, including yours. Thankyou for your contribution. re: the feature request, that's a good idea, i can look to add that in. Do you mind raising a new issue for it? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3RQXIDVIXGLDEJSSUDQAOTRBA5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NYJVY-23issuecomment-2D513508567&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=CzOCCs_gwI8DGhNR48uRxO5jToZ-r4nafeLbGvK6CCs&e=>, or mute the thread [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3XKCXHICSSUZRIOE6TQAOTRBANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=mvJV7-GpDIJUZlrkkt0jTgqy7uvGeXwnJem2ydMELYc&e=>.

---------------------------------------------------------------------- NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

---------------------------------------------------------------------- This Message Was Secured With The BCI PPS Email System

[ryannewington]

Maybe it didn't save? Have created a new one for you to follow for updates.

#18 (comment)

Code is linked in the comment if you want to have a look over. If there are any gotchas you learnt from your own implementation I should be aware of, do let me know.

We'll keep this thread on the LSA protection support feature now.

[ryannewington]

First build with the MS-signed binary is up!

https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7143