Local Security Authority protection functionality is enabled
Ensure LSA protection is on to prevent malware from stealing credentials.
Plain language
Local Security Authority (LSA) protection helps keep your computer safe by stopping sneaky programs from stealing important information like passwords. Without this protection, malware could grab your credentials and gain access to your systems, leading to data breaches or unauthorised access.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML3
Official control statement
Local Security Authority protection functionality is enabled.
Why it matters
Without LSA protection, attackers can dump LSASS to steal credential material, enabling account takeover and unauthorised access.
Operational notes
Enforce LSA protection via GPO/Intune, verify it remains enabled after patching, and monitor Windows events for attempts to disable RunAsPPL.
Implementation tips
- System administrator should enable LSA protection on all computers to increase security. They can do this via group policy settings in Windows by accessing the security settings and ticking the box for LSA protection.
- IT team should regularly check that LSA protection settings are applied across all systems. They can do this by running a regular script that checks the status of LSA settings and reports back on compliance.
- Security officer should educate staff on why LSA protection is crucial. They can do this through brief training sessions or newsletters explaining the risk of credential theft and the benefits of protection measures.
- System administrator should configure automatic updates for systems to ensure LSA protection features are up-to-date. This can be done by enabling Windows Update on all machines so that the latest security improvements are applied promptly.
Audit / evidence tips
- AskIs LSA protection enabled on all systems within the organisation?
- GoodThe settings should show LSA protection is enabled on every computer, verified by both policy documentation and system checks
- AskHow often are LSA settings reviewed for compliance?
- GoodScheduled reports from system checks should show consistent review intervals, with all systems marked compliant
Cross-framework mappings
How E8-RA-ML3.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires organisations to control how authentication information is allocated, managed and handled, including guidance to pe... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1492 | ISM-1492 requires operating system exploit protection functionality to be enabled to block or reduce common exploitation behaviours | |
| ISM-1686 | ISM-1686 requires Credential Guard functionality to be enabled to better protect credentials in Windows environments | |
| ISM-1897 | ISM-1897 requires enabling Remote Credential Guard to limit credential exposure when users access systems remotely | |
| handshake Supports (5) expand_less | ||
| ISM-1402 | ISM-1402 requires organisations to protect stored credentials using secure storage mechanisms (e.g., password managers, HSMs, or robust h... | |
| ISM-1584 | ISM-1584 requires technical enforcement so unprivileged users cannot bypass, disable or modify operating system security functionality an... | |
| ISM-1749 | ISM-1749 requires cached credentials on systems to be limited to one previous logon to reduce the value of cached secrets if a device is ... | |
| ISM-1829 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), reducing exposure of reusable credentials that attacke... | |
| ISM-1896 | ISM-1896 requires memory integrity functionality to be enabled to harden the OS against in-memory credential theft | |
| link Related (3) expand_less | ||
| ISM-1798 | ISM-1798 requires producing and publishing secure configuration guidance for software consumers | |
| ISM-1858 | ISM-1858 requires IT equipment to be hardened using ASD and vendor hardening guidance, applying the most restrictive guidance where confl... | |
| ISM-1861 | E8-RA-ML3.5 requires Local Security Authority (LSA) protection functionality to be enabled to harden credential handling and reduce crede... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.