What is the "CNG Key Isolation (KeyIso)" system service on Windows Server 2008? Can I disable "CNG Key Isolation"?

"CNG Key Isolation (KeyIso)" is a Windows Server 2008 service that provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

CNG stands for "Cryptography Application Programming Interface - Next Generation". A "Key" is a cryptographic token, for example, one generated from a wireless networking passphrase. "Isolation" is to do with Public Key Cryptography. Inside the operating system, public keys have to be kept separate from private keys and that is what the service is for.

Detailed information on "CNG Key Isolation" service:

Service name: KeyIso
Display name: CNG Key Isolation
Execution command: 
   C:\Windows\system32\lsass.exe
Dependencies:
   Remote Procedure Call (RPC)
Impacts:
   Extensible Authentication Protocol

"CNG Key Isolation" service is provided by the lsass.exe program, see "lsass.exe Executable Program on Windows Server 2008" for details.

Disabling "CNG Key Isolation" service will cause issues on running Windows Server 2008 with wireless connections.

⇒List of Services on Windows Server 2008

⇒⇒Windows Server 2008 Tutorials