What is the Local Security Authority (LSA)?

Updated on September 11, 2025

The Local Security Authority (LSA) serves as the cornerstone of Windows security architecture. This protected subsystem governs every security decision on a Windows machine, from user authentication to access control enforcement. Understanding LSA functionality is essential for IT professionals managing Windows environments, particularly when implementing security policies or investigating credential-related attacks.

The LSA operates as both a conceptual framework and a tangible system component. While many professionals encounter the LSASS.exe process during troubleshooting or security incidents, fewer understand the broader LSA subsystem that defines how Windows handles authentication and authorization at the local level.

This technical examination provides system administrators and security analysts with the detailed knowledge needed to effectively manage LSA components, implement protective measures, and understand the security implications of this critical Windows subsystem.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

Local Security Authority Architecture

The LSA functions as a protected subsystem that manages local security policy enforcement. This subsystem operates through several interconnected components that work together to maintain system security.

The LSA differs from LSASS.exe in scope and function. The LSA represents the entire security framework, while LSASS.exe serves as the executable process that implements LSA functions. Think of the LSA as the architectural blueprint and LSASS.exe as the construction crew that builds according to that blueprint.

LSASS.exe (Local Security Authority Subsystem Service)

The LSASS.exe process implements LSA functionality by running with elevated system privileges. This background service performs the actual work of authenticating users, generating access tokens, and enforcing security policies. The process maintains continuous operation to handle security requests from the operating system and applications.

LSASS.exe operates in kernel mode, giving it direct access to system resources and memory. This elevated access level enables the process to perform sensitive security operations but also makes it an attractive target for attackers seeking to extract credentials or escalate privileges.

Security Account Manager (SAM)

The Security Account Manager (SAM) database stores local user accounts and their password hashes. The LSA interacts directly with the SAM database during local user authentication attempts. This database resides in the Windows Registry and contains critical information including usernames, password hashes, and account metadata.

The SAM database uses encryption to protect stored password hashes. However, attackers with sufficient privileges can extract these hashes for offline cracking attempts, making SAM protection a critical security consideration.

Access Token Structure

Access tokens represent the security context of authenticated users. The LSA creates these data structures after successful authentication, embedding the user’s Security Identifier (SID), group memberships, and assigned privileges.

Each access token travels with every process the user initiates. Windows uses these tokens as the definitive reference for access control decisions, determining whether a user can read files, modify system settings, or execute specific applications.

How Local Security Authority Works

Authentication Process Flow

The LSA manages every authentication request through a standardized process. When users attempt to log on, their credentials pass through multiple validation stages before the system grants access.

The authentication sequence begins when users submit their credentials to the Windows logon interface. The LSA receives these credentials and determines the appropriate authentication method based on the account type and system configuration.

Logon Request Processing

Local account authentication involves direct SAM database queries. The LSA extracts the stored password hash for the specified username and compares it against the submitted credential hash. Successful hash matching triggers access token generation.

Domain account authentication requires network communication with domain controllers. The LSA securely transmits authentication requests to domain controllers using protocols like Kerberos or NTLM. Domain controllers validate credentials and return authentication results to the requesting system.

Token Generation and Assignment

Upon successful authentication, the LSA generates a unique access token for the authenticated user. This token contains the user’s complete security profile, including SID, group memberships, and privilege assignments. The LSA attaches this token to the user’s initial process, and all subsequent processes inherit the token.

Access tokens remain valid throughout the user session unless explicitly modified by privilege escalation or group membership changes. The LSA updates tokens dynamically when security contexts change, ensuring accurate access control enforcement.

Credential Caching for Single Sign-On

The LSA implements credential caching to support single sign-on (SSO) functionality. The LSASS.exe process stores sensitive credentials in memory, including plaintext passwords (in legacy systems), NTLM hashes, and Kerberos tickets.

This caching mechanism enables users to access multiple resources without repeated authentication prompts. However, in-memory credential storage creates security vulnerabilities that attackers can exploit using credential dumping techniques.

Key Features and Components

Local Security Policy Management

The LSA enforces all settings configured through the Local Security Policy snap-in (secpol.msc). These policies include password complexity requirements, account lockout thresholds, and user rights assignments. The LSA continuously monitors system activity and blocks actions that violate configured policies.

Policy enforcement occurs at multiple system levels. The LSA validates password changes against complexity requirements, tracks failed logon attempts for lockout enforcement, and verifies user privileges before allowing specific actions.

LSA Secrets Management

The LSA manages encrypted keys and sensitive data known as “LSA Secrets” within the Windows Registry. These secrets include system account credentials, service account passwords, and security-critical information used by applications and services.

LSA Secrets reside in the Registry under HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. The LSA encrypts these secrets using system-specific keys, but attackers with administrative privileges can potentially extract and decrypt this sensitive information.

Authentication Package Support

The LSA uses specialized authentication packages to handle different security protocols. The msv1_0.dll package manages NTLM authentication, while kerberos.dll handles Kerberos protocol functions. These packages provide protocol-specific functionality while maintaining consistent interfaces with the core LSA subsystem.

Authentication packages enable the LSA to support multiple authentication methods simultaneously. Organizations can deploy custom authentication packages to integrate with specialized security systems or implement additional security layers.

Security Implications and Attack Vectors

Credential Dumping Vulnerabilities

The LSASS.exe process presents a high-value target for attackers due to its credential storage functionality. Attackers with elevated privileges can extract credentials directly from LSASS.exe memory using tools like Mimikatz. These extracted credentials enable privilege escalation, lateral movement, and complete network compromise.

Credential dumping attacks succeed because LSASS.exe must maintain credentials in memory to support authentication and SSO functionality. Traditional memory protection mechanisms cannot fully secure this information without breaking core Windows functionality.

Attack Progression Scenarios

Successful credential extraction often leads to rapid attack progression. Attackers use dumped credentials to authenticate as legitimate users, bypassing traditional access controls. This technique enables horizontal movement through networks and access to additional systems and resources.

Administrative credentials provide particularly valuable targets, as they grant broad system access and the ability to extract credentials from additional machines. Attackers can quickly escalate from initial system compromise to domain-wide access through credential dumping and reuse.

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Read Now

Defense Mechanisms and Mitigation

LSA Protection Implementation

LSA Protection hardens the LSASS.exe process against unauthorized access and code injection. This feature prevents non-privileged processes from accessing LSASS.exe memory and blocks common credential dumping techniques.

LSA Protection operates by restricting process access permissions and implementing additional memory protection mechanisms. While not foolproof against all attacks, this feature significantly raises the difficulty level for credential extraction attempts.

Credential Guard Architecture

Credential Guard provides robust protection through virtualization-based security (VBS). This feature isolates the LSASS.exe process in a dedicated, hardware-protected memory region that remains inaccessible to the operating system kernel and other processes.

Credential Guard uses Windows Hypervisor to create an isolated execution environment called Virtual Trust Level 1 (VTL1). The LSA secrets and credentials operate within this protected environment, making them extremely difficult for attackers to access even with administrative privileges.

The implementation requires specific hardware capabilities, including TPM 2.0 and UEFI firmware with Secure Boot support. Organizations must evaluate hardware compatibility before deploying Credential Guard protection.

Key Terms Appendix

• LSA (Local Security Authority): The Windows subsystem responsible for managing security policies and authentication decisions on local machines.
• LSASS.exe: The executable process that implements LSA functionality and maintains credential storage in system memory.
• Access Token: A data structure containing user security information, including SID, group memberships, and privileges, used for access control decisions.
• Security Account Manager (SAM): The Windows database storing local user accounts and encrypted password hashes.
• Credential Guard: A Windows security feature using virtualization-based security to protect LSASS process credentials from extraction attacks.
• Kerberos: A network authentication protocol using tickets to grant secure access to network resources and services.
• NTLM (NT LAN Manager): A suite of security protocols providing authentication, integrity, and confidentiality for Windows networks.