General Information
None at this time
Windows 8
Default Description
The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
Additional Information
None at this time.
Default Startup Type
| OS | SP0 |
|---|---|
| Windows 8 x86 | Manual (Trigger Start) |
| Windows 8 x64 | Manual (Trigger Start) |
| Windows 8 Pro x86 | Manual (Trigger Start) |
| Windows 8 Pro x64 | Manual (Trigger Start) |
| Windows 8 Enterprise x86 | Manual (Trigger Start) |
| Windows 8 Enterprise x64 | Manual (Trigger Start) |
Service Names
Service Name (registry): KeyIso
Display Name: CNG Key Isolation
Display Name: CNG Key Isolation
Default Path and Command Line Options
C:\Windows\system32\lsass.exe
Log On As
Account: Local System account
Dependencies
Note: No dependencies are listed for any service in the WDP build I used to draft this information.
Windows 7
Default Description
The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
Additional Information
This service is required for Wireless Networks as well as the following group of services:
- CNG Key Isolation
- Extensible Authentication Protocol
- Wired AutoConfig (not required for Wireless Networks)
- WLAN AutoConfig
WLAN AutoConfig, if set to Manual, will not start automatically if you use a hardware switch (such as those on laptops to turn on and off the wireless network card). If you require wireless connectivity on your computer, keep the listed services above on the default values as well as place WLAN AutoConfig into Automatic. If you do not have a wireless card installed on the system, or do not require authentication on your wired network card, the group of services can safely be disabled.
Default Startup Type
| OS | SP0 | SP1 |
|---|---|---|
| Windows 7 Starter | Manual (Started) | Manual |
| Windows 7 Home Basic | Manual(Started) | Manual |
| Windows 7 Home Premium | Manual (Started) | Manual |
| Windows 7 Professional | Manual (Started) | Manual |
| Windows 7 Ultimate | Manual(Started) | Manual |
| Windows 7 Enterprise | Manual (Started) | Manual |
Service Names
Service Name (registry): KeyIso
Display Name: CNG Key Isolation
Display Name: CNG Key Isolation
Default Path and Command Line Options
C:\Windows\system32\lsass.exe
Log On As
Account: Local System account
Dependencies
What service CNG Key Isolation needs to function properly:
- Remote Procedure Call (RPC)(S, HB, HP, P, U, E)
- DCOM Server Process Launcher (S, HB, HP, P, U, E)
- RPC Endpoint Mapper (S, HB, HP, P, U, E)
What other service require CNG Key Isolation to function properly:
- Extensible Authentication Protocol(S, HB, HP, P, U, E)
- Wired AutoConfig (S, HB, HP, P, U, E)
- WLAN AutoConfig (S, HB, HP, P, U, E)
Windows Vista
Default Description
The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.
Additional Information
This service is required for Wireless Networks as well as the following group of services:
CNG Key Isolation
- Extensible Authentication Protocol
- Wired AutoConfig
- WLAN AutoConfig
WLAN AutoConfig, if set to Manual, will not start automatically if you use a hardware switch (such as those on laptops to turn on and off the wireless network card). If you require wireless connectivity on your computer, keep the listed services above on the default values as well as place WLAN AutoConfig into Automatic. If you do not have a wireless card installed on the system, or do not require authentication on your wired network card, the group of services can safely be disabled.
Default Startup Type
| OS | SP0 | SP1 | SP2 |
|---|---|---|---|
| Vista Home Basic | Manual | Manual | Manual |
| Vista Home Premium | Manual | Manual | Manual |
| Vista Business | Manual | Manual | Manual |
| Vista Ultimate | Manual | Manual | Manual |
| Vista Enterprise | Manual | Manual | Manual |
Service Names
Service Name (registry): KeyIso
Display Name: CNG Key Isolation
Display Name: CNG Key Isolation
Default Path and Command Line Options
C:\Windows\system32\lsass.exe
Log On As
Account: Local System Account
Dependencies
What service CNG Key Isolation needs to function properly:
- Remote Procedure Call (RPC)(HB, HP, B, U)
- DCOM Server Process Launcher (HB, HP, B, U)
What other service require CNG Key Isolation to function properly:
- Extensible Authentication Protocol(HB, HP, B, U)
- Wired AutoConfig (HB, HP, B, U)
- WLAN AutoConfig (HB, HP, B, U)
Additional Reading
- CNG: https://msdn.microsoft.com/en-us/library/bb204775(VS.85).aspx
- Common Criteria: http://en.wikipedia.org/wiki/Common_Criteria
- EAP: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
