PSSecurityUtils

0.2.0

Public/Enable-LsaProtection.ps1

                                function Enable-LsaProtection {

    <#

    .SYNOPSIS

        Enables LSA Protection (RunAsPPL) to defend LSASS against credential dumping.

    .DESCRIPTION

        Sets the RunAsPPL DWORD value to 1 under the LSA registry key, marking the Local

        Security Authority Subsystem Service (LSASS) as a Protected Process Light (PPL).

        This prevents unsigned or weakly-signed code from reading LSASS memory, blocking

        credential dumping tools that rely on direct memory access.

        A system restart is required for the protection to take effect.

        Note: Some third-party security products and antivirus software inject into LSASS

        and may fail to load after this change is applied. Test in a non-production environment

        before broad deployment.

    .INPUTS

        None. Parameters must be supplied directly.

    .OUTPUTS

        None.

    .PARAMETER ComputerName

        The target computer. Defaults to the local machine.

    .PARAMETER Force

        Restarts the computer immediately after applying the change.

    .EXAMPLE

        Enable-LsaProtection

        Enables LSA Protection on the local machine and warns that a restart is needed.

    .EXAMPLE

        Enable-LsaProtection -ComputerName 'Server01' -Force

        Enables LSA Protection on Server01 and restarts it immediately.

    .NOTES

        Requires Administrator privileges.

        Test compatibility with installed security software before deploying broadly.

        Remote operations require WinRM to be configured on the target machine.

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]

    [OutputType([void])]

    param (

        [Parameter(Mandatory = $false)]

        [string]$ComputerName = $env:COMPUTERNAME,

        [Parameter(Mandatory = $false)]

        [switch]$Force

    )

    $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or

               ($ComputerName -ieq 'localhost') -or

               ($ComputerName -eq '127.0.0.1')

    $registryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'

    $valueName    = 'RunAsPPL'

    if ($PSCmdlet.ShouldProcess($ComputerName, "Set $valueName = 1 in LSA registry key")) {

        if ($isLocal) {

            Set-ItemProperty -Path $registryPath -Name $valueName -Value 1 -Type DWord -ErrorAction Stop

        } else {

            Invoke-Command -ComputerName $ComputerName -ScriptBlock {

                Set-ItemProperty -Path $using:registryPath -Name $using:valueName -Value 1 -Type DWord -ErrorAction Stop

            }

        }

        Write-Verbose "LSA Protection enabled on '$ComputerName'."

        Write-Warning "A system restart is required for LSA Protection to take effect."

        if ($Force -and $PSCmdlet.ShouldProcess($ComputerName, 'Restart computer to apply changes')) {

            Restart-Computer -ComputerName $ComputerName -Force

        }

    }

}