- I-lsass.exe inyanzelisa imigaqo-nkqubo yokhuseleko kwaye ilawula ukuqinisekiswa Windows kunye ne-Active Directory.
- Imiba eqhelekileyo: I-NTLM yelifa, iindawo ezininzi ezithembekileyo, kunye nokusetyenziswa okuphezulu kwe-CPU kwii-DCs.
- Ukunciphisa: I-NeverPing, iiPakethi zeNkonzo / i-Hotfixes, abaqokeleli bedatha ye-AD, kunye nokulungiswa kwe-MaxConcurrentApi.
Ukuba usebenzisa iWindows, igama sass.exe Ayisiyonto incinci: yinxalenye ephambili yenkqubo eqinisekisa ukhuseleko lwasekhaya kunye nokuqinisekiswa. NgesiNgesi esicacileyo, ngumgcini oqinisekisa iziqinisekiso zakho xa ungena kwaye unyanzelise ikhompyuter kunye nemigaqo-nkqubo yokhuseleko yesizinda.
Ngenxa yokubaluleka kwayo, sass.exe Ikwayinto ekujoliswe kuyo eqhelekileyo ye isoftwe kunye neemeko zomcimbi womsebenzi womlawuli wesizinda. Apha, siqulunqe yonke into ekufuneka uyazi ngendlela esebenzayo kunye neneenkcukacha: into eyenzayo, indlela yokuchonga ifayile esemthethweni, zeziphi iimpawu ezibonisa ukusilela, kunye nezisombululo ezibhalwe nguMicrosoft malunga neemeko ezifana neebhotile zokungqinisisa ze-NTLM okanye ukusetyenziswa kwe-CPU ephezulu kwi-Active Directory.
Yintoni lsass.exe?
Inkqubo INkonzo yeNkqutyana yoKhuseleko lwaseKhaya (i-LSASS), ebonakalayo njenge-lsass.exe, inoxanduva lokunyanzelisa umgaqo-nkqubo wokhuseleko wendawo kunye nesizinda kwiWindows. Ilawula ukuqinisekiswa komsebenzisi, iqinisekisa amagama agqithisiweyo, ilawula iimvume, kwaye ibhala utshintsho kwisiseko sedatha yokhuseleko lwasekhaya, kubandakanywa imigaqo-nkqubo, iiakhawunti kunye namagama ayimfihlo.
Kwi-Active Directory domain controllers, i-lsass.exe ikwasebenza njengenkonzo esembindini ye uphendlo, uqinisekiso kunye nophindaphindo ukusuka kulawulo. Ukukhubaza okanye ukuphelisa le nkqubo ayiyondlela yokukhetha: uyakwaphula ukhuseleko lwenkqubo esisiseko kunye nokungena.
Ngenxa yendima yayo, i-lsass.exe isebenza ngesandla kunye namanye amacandelo enkqubo ukuba isetyenziswe imigaqo-nkqubo yokuntsokotha kwephasiwedi, ulawulo oluphambili kunye nokuqinisekiswa kwenethiwekhi, ngakumbi xa kukho ubudlelwane bokuthembana phakathi kwemimandla kunye nabathengi belifa abasebenzisa i-NTLM.
Kufanelekile ukukhumbula ukuba nangona i-lsass.exe esemthethweni ikhuselekile kwaye ibalulekile, abahlaseli bazama ukuzenza wena enokuphunyezwa ngendlela efanayo ukubiwa iziqinisekiso nokuqhubeka kwindlela, umzekelo usebenzisa ukwahluka njenge 'lass.exe' okanye iindawo ngaphandle kwendlela esemthethweni.
Ukhuseleko kunye noBuqinisekiso boYilo (LSA)
I-LSASS yinxalenye ye Inkqubo engaphantsi koYilo loKhuseleko IiWindows: Iseti yeenkonzo kunye nee-API ezinyanzelisa umgaqo-nkqubo wokhuseleko kunye ne-orchestrate uqinisekiso. Yeyona nto iphambili enxibelelanisa ugunyaziso kwaye ikhusele iimfihlo zenkqubo ebuthathaka.
Ngaphakathi kweLSA, i LSA Uqinisekiso Idibanisa iipakethe zokuqinisekisa (umzekelo, i-NTLM okanye i-Kerberos) kwaye ilawula utshintshiselwano lweziqinisekiso phakathi kwabaxhasi kunye nabalawuli besizinda. Oku kuchaza ukuba ungqinisiso luqinisekiswa njani. abasebenzisi kunye neenkonzo ngexesha lokungena.
Kwiindawo zeshishini, i-LSASS idibana ne Ulawulo lwesazisi seMS, oko kukuthi, istaki sesazisi sikaMicrosoft esilawula abalawuli, ukuthembela kwesizinda esinqamlezileyo, ukungena ngemvume okukodwa, kunye nemigaqo-nkqubo ephakathi, kunye ne-Active Directory njengomqolo wayo.
Iindima eziphambili kunye noxanduva
Phakathi kweyona misebenzi iphawulekayo, i-LSASS yenza imisebenzi echaphazela ngokuthe ngqo i inkqubo kunye nokhuseleko lwesizinda. Ngezantsi sisishwankathelo esicwangcisiweyo:
| Element | Descripción |
|---|---|
| Igama elipheleleyo | UGunyaziwe woKhuseleko lweNdawo yeNkonzo yeSistim (lsass.exe) |
| Umsebenzi oyintloko | Ukusebenzisa umgaqo-nkqubo wokhuseleko nokulawula ungqinisiso kwi-Windows kunye ne-Active Directory. |
| Uxanduva |
|
| Ukubaluleka | Ukugxekwa: Ukungasebenzi kwayo kuchaphazela i ukhuseleko kunye nokufikelela yenkqubo. |
| Mngcipheko | Okujoliswe kuko rhoqo isoftwe kunye nobuchule bokweba iziqinisekiso. |
Kwimveliso, uzinzo kunye nokusebenza kwe-LSASS kuchaphazela ngokuthe ngqo amava omsebenzisi (i-latency yokungena, ukufikelela kwisixhobo) kunye nokukwazi kwe-domain ukucubungula i-spikes zokuqinisekisa.
Indawo yefayile, iimeko, kunye nendlela yokwahlula i-malware
Ngalo lonke ixesha khangela ukuba okuphunyeziweyo okusemthethweni kuhlala kuyo C:\Windows\System32Ukuba ufumana ikopi kwenye incwadi eneenkcukacha okanye enegama eliphantse lafana (umzekelo, 'lass.exe' ngaphandle kwesiqalo), umrhanelwa wobuqhophololo.
Imizekelo emininzi ibonakala? Ngamanye amaxesha inkqubo ingabonisa iinkqubo ezincedisayo okanye iinkonzo ezinxulumeneyo ezibonakala ziphindaphindwe, kodwa iimeko ezininzi zinokubonisa usulelo okanye isitofu. Gcina i-antivirus yakho ihlaziyiwe kwaye uqhube iskena. gqiba kwaye ungene iboot.
Kukho iintsapho ezaziwayo ezisebenzisa kakubi igama okanye inkqubo, njenge Trojan.W32.Webus, Trojan.W32.Satiloler, Trojan.W32.KELVIR, Trojan.W32.Windang, Trojan.W32.Spybot, backdoor.W32.ratsou, Trojan.W32.Downloader o Trojan.W32.RontokbrI-modus operandi yabo iyahluka, kodwa ipateni eqhelekileyo zifihle ngasemva lsass.exe ukuya ungabonwa.
Kwiimeko zobomi bokwenyani, ezinye iinkqubo ze-antivirus zibika ukuba zithintele iinzame sass.exe (umzekelo, ukufunyanwa okunje Win32:HarHarMiner-P). Ukuba nawe uyaqaphela ukuthotywa kokusebenza okanye iincopho zenethiwekhi ezingaqhelekanga, kuyacetyiswa ukuba kunyuke ukuxilongwa ngokukhawuleza.
Iimpawu kunye neempawu zeengxaki
Kwiindawo zokusebenzela kunye neeseva, iingxaki zenkqubo yenkqubo ezifana ne-lsass.exe zihlala zivela ngenxa ukungqubana kwezicelo okanye amacandelo akhuphisana ngezibonelelo. Ukuzama ukukhupha isoftware engasetyenziswanga kunye nokuphinda uyiqalise kunokunciphisa imiba ethile.
Kubalawuli besizinda, iimpawu zingabandakanya uqinisekiso olucothayo, ixesha lokuphendula elilambathayo kukhangelo lukavimba weefayili okanye abathengi abafudukela kwenye i-DC xa bebona ukuzaliseka. I Umlawuli weMisebenzi okanye iPerfmon inokubonisa ukusetyenziswa kwe-CPU ngokuqhubekayo phezulu ngokusebenzisa lsass.exe.
Kwi-Windows Server 2003, phantsi kweemeko ezithile, inkqubo ye-LSASS ingahlala ngaphandle kwezibonelelo kwaye bangabi nampendulo. Oku kunokubonakala njengokuxhoma, ukulibaziseka okubonakalayo kuqinisekiso lwelifa le-NTLM, kunye nezixhobo zokubala ze-Netlogon ezibonisa ukulinda ixesha elide.
Kwi-Netlog debug logs, xa abathengi bengabandakanyi i Isizinda Amangeno eSamLogon aneepateni ezifana ne "SamLogon" angavela ecaleni komsebenzisi xa usebenzisa i-NTLM. <null>\username, ebonisa uphendlo olulandelelanayo imimandla ethembekileyo.
Izizathu ezaziwayo kwi-Windows Server 2003 kunye ne-NeverPing tuning
UMicrosoft ubhale imeko apho i-LSASS iphindwa khona ukuba inani le ukungena ngaxeshanye iphindaphindwe ngenani lobudlelwane bokuthembana ngaphaya kwe-1.000. Oku kubangela uphendlo lwe-domain olubizayo, ngakumbi kubathengi abasebenzisayo Ilifa leNTLM ngaphandle kokuchaza ithambeka.
Ukunciphisa le ndlela yokuziphatha, unokwenza useto lokuloga NeverPing, elungisa indlela i-DC ebeka ngayo imimandla ekude xa ixazulula iziqinisekiso ezingaphelelanga. Qaphela: Olu khetho lunokuba nalo Iziphumo ebezingalindelekanga Ukuba unabathengi abadala (umzekelo, Windows 98 okanye i-Outlook Web Access) engabonisi sizinda, abo baxhasi banokusebenza kuphela ukuba i-akhawunti ikwidomeyini enye. indawo yendawo okanye kwikhathalogu yehlabathi.
Isilumkiso esibalulekileyo: Ukutshintsha uBhaliso lweWindows kuyingozi. Gcina irejista yakho. ukubhalisa kwaye uqiniseke ukuba uyayazi indlela yokuyibuyisela xa kukho into engahambi kakuhle. Ukufumana ireferensi, bona amaxwebhu asemthethweni kubhaliso lweWindows (umzekelo, inqaku leSiseko soLwazi leMicrosoft 256986 elichaza Irejista yeWindows).
Ngaphambi kokudlala irekhodi, sebenzisa i IPake Service inguqulelo yamva nje yeWindows Server 2003 okanye i-hotfix ethile ekhutshwe nguMicrosoft ngale ngxaki. Ukuba i hotfix iyafumaneka ukukhuphela, iya kuboniswa njenge 'Hotfix Khuphela Iyafumaneka' kwinqaku elihambelanayo; ukuba akunjalo, kufuneka uqhagamshelane Inkxaso yeMicrosoft.
Uyenza njani iNeverPing
Ukuba uthatha isigqibo sokuqhubeka (kwaye emva kokudala i-backup yobhaliso), la ngamanyathelo oku yenza i-NeverPing kumlawuli wendawo:
- Vula Qala > Qhuba, chwetheza regedit kwaye ucinezele u-OK ukuvula iRegistry Editor.
- Jonga ku
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. - Kuloo subkey, yenza ixabiso DWORD kubizwa NeverPing.
- Cofa kabini kwixabiso kwaye usete 1 kwi-'Value Data'. Cofa u-Kulungile.
- Vala iRegistry Editor kunye qalisa kwakhona iqela ukuphumeza utshintsho.
Amanqaku eMicrosoft malunga nale hotfix: akukho nanye iimfuno zangaphambili, iyimfuneko qalisa ngokutsha emva kokuyisebenzisa, kunye nokulungiswa ayithathi ndawo kolunye uhlaziyo. UMicrosoft uwuqinisekisile lo mbandela kwaye waqala ukuwulungisa Windows Server 2003 Service Pack 2.
Ulwazi lwefayile yohlaziyo (Netlogon.dll)
Iimpawu zefayile ezibhalwe nguMicrosoft ze hotfix ziquka ezi nguqulelo zilandelayo: Netlogon.dll:
| Igama lefayile | Inguqulelo | Tamaño | Umhla | intaba | Iplatform | Uhlobo |
|---|---|---|---|---|---|---|
| Netlogon.dll | 5.2.3790.573 | 419.328 | 08-Aug-2006 | 13:01 | x86 | - |
| Netlogon.dll | 5.2.3790.573 | 959.488 | 07-Aug-2006 | 21:58 | IA-64 | RTMQFE |
| Wnetlogon.dll | 5.2.3790.573 | 419.328 | 07-Aug-2006 | 22:01 | x86 | WOWU |
Ukufumana iinkcukacha ezithe vetshe kwiipakethi zenkonzo, bona isikhokelo sikaMicrosoft sokufumana Ipakethi yeeNkonzo zamva nje Windows Server 2003. Ukuba awuboni ulwimi lwakho kwifomu yokukhuphela i-hotfix, isenokungabikho. uphononongo kolo lwimi lukhethekileyo.
Ukusetyenziswa okuphezulu kwe-CPU kwii-DCs (iWindows Server 2008 nasemva koko)
KwiWindows Server 2008 kunye neenguqulelo ezintsha, iMicrosoft icebisa ukuba kuqhutywe i Iseti yoMqokeleli wedata eSebenzayo Ukujongwa kokuSebenza xa i-LSASS isitya i-CPU eninzi kakhulu. Esi sixhobo sidibanisa izinto zokubala kunye neetrayisi kwaye sivelise ingxelo kunye nezizathu ezinokwenzeka.
Amanyathelo asisiseko: vula i Umlawuli weseva okanye iphumeze perfmon.msc; ukwandisa Inkqubo> IiSeti zoMqokeleli weDatha> ukuthembeka kunye nokuSebenza> Ukuxilongwa; cofa ekunene I-Active Directory Diagnostics kwaye ukhethe Qala ukuqalisa ukufota.
Ulungiselelo olungagqibekanga luqokelela idatha ngexesha Imizuzwana ye300 (5 imizuzu). Inkqubo emva koko iqulunqa ingxelo; ixesha ukuhlanganiswa kuxhomekeke kwisixa sedatha erekhodiweyo ngexesha lokubanjwa.
Xa ugqibile, yiya kuReliability & Performance> IiNgxelo zeNkqubo> I-Active Directory Diagnostics ukuyivula. Kwicandelo le Iziphumo zokuxilonga Uya kubona imikhondo yokusebenza: iindidi eziqhelekileyo, iinkcukacha ze-AD, kunye nabathengi abahlala bekude abavelisa ezona traffic.
Ngamanye amaxesha ingxaki ibangelwa imibuzo ebiza kakhulu ye-LDAP ukusuka kwiikhompyuter ezikude okanye umthamo omkhulu wezicelo. Icandelo lomnatha lengxelo linceda ekufumaneni imithombo enengxolo yokucoca, ukukhulisa okanye ukwaba kwakhona umthwalo phakathi kwabalawuli.
Ukhuseleko olusebenzayo: I-Antivirus Alert Case
Imeko engumzekelo: umsebenzisi uxela ukuba i-antivirus yakhe (umzekelo, I-Avast yasimahla) ibonise 'Isongelo esisonjululwe' emva kokukhusela i-lsass.exe ngokuchasene Win32:HarHarMiner-P kwindlela yeSystem32, kunye nokuhla kokusebenza kunye ne-ping ephezulu kwimidlalo. Ngelixa ingasoloko ibandakanya ukuthotywa kokubini okusemthethweni, iyafuna Ukuphanda ngocoselelo.
Kule meko, ngaphezu kohlalutyo olupheleleyo, kuyacetyiswa ukuba uhlolisise oko sass.exe eyokwenyani ingaphakathi C:\Windows\System32, khangela umsayino wakho wedijithali kwaye uqinisekise ukuba akukho imisebenzi ecwangcisiweyo okanye iinkonzo ezikrokrisayo ezisebenza phantsi kwesazisi sakho. Ukuba ukuncitshiswa okuzenzekelayo akonelanga, cinga ngokuskena akukho nxibelelwano kunye nokubonisana nenkxaso okanye izixhobo ezifana Ukulungiswa kwakhona.
Umbhali onomdla malunga nehlabathi le-bytes kunye netekhnoloji ngokubanzi. Ndiyakuthanda ukwabelana ngolwazi lwam ngokubhala, kwaye yile nto ndiza kuyenza kule bhlog, ndikubonise zonke izinto ezinomdla malunga nezixhobo, isoftware, ihardware, iindlela zetekhnoloji, kunye nokunye. Injongo yam kukukunceda uhambe kwihlabathi ledijithali ngendlela elula neyonwabisayo.