Help CenterIn modern IT environments, hardening security on Windows systems involves configuring critical registry settings related to authentication and access control. This PowerShell script automates the configuration of several important Local Security Authority (LSA) settings by ensuring specific values are applied to key security-related registry entries.
This article explains how the script works, what each setting controls, and why enforcing these values enhances security.
Understanding the LSA Security Settings
The script targets four critical LSA settings in the Windows Registry:
- RestrictAnonymous
- RunAsPPL
- DisableDomainCreds
- RestrictAnonymousSAM
Explanation of the LSA Settings Managed by the Script:
-
RestrictAnonymous:
- Controls the level of anonymous access to resources. Setting this value to
1restricts anonymous users from obtaining a list of account names and shares, improving security by preventing certain types of information gathering by attackers. - Registry value:
1= Restrict anonymous access.
- Controls the level of anonymous access to resources. Setting this value to
-
RunAsPPL (Protected Process Light):
- Ensures that LSA runs as a Protected Process Light (PPL), providing stronger protection against malware that might try to interact with or manipulate authentication services.
- Registry value:
1= Enable Protected Process Light.
-
DisableDomainCreds:
- Controls whether Windows stores credentials locally. Setting this to
1disables storing credentials on local machines, forcing users to authenticate directly against the domain for each session, which reduces the risk of credential theft. - Registry value:
1= Disable storing domain credentials.
- Controls whether Windows stores credentials locally. Setting this to
-
RestrictAnonymousSAM:
- Prevents anonymous users from accessing the Security Accounts Manager (SAM) database, which stores password hashes. Restricting access to SAM improves security by preventing unauthorized access to sensitive authentication data.
- Registry value:
1= Restrict anonymous SAM access.
Why These Settings Matter:
These LSA settings are critical for hardening authentication mechanisms and access control in Windows environments. By enabling these features, you reduce the risk of attacks such as credential harvesting, privilege escalation, and unauthorized access.
Here’s why each setting matters:
- RestrictAnonymous reduces the ability of attackers to enumerate network resources anonymously, a common technique in the reconnaissance phase of attacks.
- RunAsPPL provides added protection for the LSA process itself, reducing the chance of it being tampered with by malware.
- DisableDomainCreds prevents cached credentials from being used to authenticate without domain verification, lowering the risk of credential theft.
- RestrictAnonymousSAM adds a barrier to accessing the SAM database, which could otherwise be exploited for password cracking.
Here is the script:
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
$keyNames = @("RestrictAnonymous", "RunAsPPL", "DisableDomainCreds", "RestrictAnonymousSAM")
$keyValue = 1
foreach ($keyName in $keyNames) {
if ((Get-ItemProperty -Path $keyPath -Name $keyName -ErrorAction SilentlyContinue).$keyName -ne $keyValue) {
New-ItemProperty -Path $keyPath -Name $keyName -Value $keyValue -PropertyType DWORD -Force | Out-Null
}
else {
Set-ItemProperty -Path $keyPath -Name $keyName -Type DWORD -Value $null -Force | Out-Null
}
}