We recommend you to enable the protection of the SAM database (Security Account Manager) from the Credential Theft Protection mitigation so its structures in the Windows Registry and local disk are shielded against dumping. SAM protection (disk and registry) is optional, meaning it is disabled by default to allow system backups. LSASS memory protection is now enabled by default.