Enable Local Security Authority Protection
Ensure the system has measures to secure login details against unauthorized access.
Plain language
This control is about making sure that your computer systems have a strong lock on your login information to prevent unauthorised access. If you don't protect these login details, someone could break into your system and potentially steal sensitive information, causing both reputational and financial harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Local Security Authority protection functionality is enabled.
Why it matters
If LSA protection is not enabled, malware can dump LSASS credentials, enabling unauthorised access and lateral movement.
Operational notes
Verify LSA protection is enabled (RunAsPPL) after patching or upgrades, and alert if LSASS protection is disabled.
Implementation tips
- The IT team should enable local security authority protection on all computers in the organisation. They should go into the system settings of each computer, find the security options, and turn on the protection for local security authority, which secures the login process.
- System administrators should regularly update software to maintain security features in the local security authority. They should monitor for any updates from the software provider and apply these updates monthly to ensure continued protection against new threats.
- Managers should ensure that the staff are trained on recognising phishing attempts that may try to steal their login credentials. Arrange workplace training sessions that demonstrate common phishing techniques and offer tips on how to verify the legitimacy of email requests.
- The IT team should conduct regular audits of system logs to identify any suspicious attempt to access login credentials. They should review these logs weekly, watching for multiple failed login attempts or logins at unusual hours, which could indicate a security threat.
- System owners should set up a recovery plan in case of a breach in login security. Establish steps to follow, such as notifying users and changing compromised passwords, and include these in a formal document accessible to IT staff.
Audit / evidence tips
-
Askthe security settings documentation: Request the document which outlines the local security authority settings on systems
Gooddocumentation shows all systems have local security authority protection enabled and updated
-
Askto review the software update schedule: Check for a documented schedule of updates applied to systems managing local security protection
Goodthe schedule lists consistent monthly updates for all systems
-
Asktraining records: Request records of training programs conducted on phishing awareness
Goodthe presence of comprehensive training records, signed attendance sheets, and examples of training content
-
Asksystem log reviews: Request logs of system activity reviews
Gooddocumented log reviews highlight proactive steps in response to suspicious login attempts
-
Askthe recovery plan document: Request a copy of the breach recovery plan
Goodthe plan includes clear, actionable steps and responsibilities for managing and communicating a breach
Cross-framework mappings
How ISM-1861 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML3.6 | ISM-1861 requires LSA protection to be enabled to harden the Local Security Authority process and reduce exposure of authentication secrets | |
| E8-RA-ML3.7 | E8-RA-ML3.7 requires Remote Credential Guard to be enabled to prevent administrator credentials being exposed during remote logons | |
| link Related (1) expand_less | ||
| E8-RA-ML3.5 | E8-RA-ML3.5 requires Local Security Authority (LSA) protection functionality to be enabled to harden credential handling and reduce crede... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.