What is LSA (concept)?

As per Microsoft docs:

"The Local Security Authority (LSA) is a protected system process that authenticates and logs users on to the local computer. In addition, LSA maintains information about all aspects of local security on a computer (these aspects are collectively known as the local security policy), and it provides various services for translation between names and security identifiers (SIDs)."

What is LSASS (process)?

As per Microsoft docs:

"The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions. The stored credentials let users seamlessly access network resources, such as file shares, Exchange Server mailboxes, and SharePoint sites, without re-entering their credentials for each remote service."

LSASS (process) manages the local system policy, user authentication, and auditing while handling sensitive security data such as password hashes and Kerberos keys. The secret part of domain credentials, the password, is protected by the operating system. Only code running in-process with the LSA can read and write domain credentials. In summary:

• resides in %windir%/System32/
• verify logons and create access tokens
• manage password changes
• write security events to the Windows Security Log

LSASS can store credentials in multiple forms, including:

• Reversibly encrypted plaintext
• Kerberos tickets (ticket-granting tickets (TGTs), service tickets)
• NT hash
• LAN Manager (LM) hash (obsolete from Windows Vista & Windows Server 2003 and up)

The lsass.exe file used by Windows is located in the directory %WINDIR%\\System32, and the description of the file is Local Security Authority Process: