Microsoft Defender to Block Credential Theft By Default on Windows PCs
Microsoft is getting ready to enable a new security feature in Microsoft Defender that should make it more difficult for threat actors to steal credentials from Windows PCs. The company says that the Attack Surface Reduction (ASR) security rule will help to prevent admin-level hackers from accessing the Local Security Authority Server Service (LSASS) process.
For those unfamiliar, the LSASS process is responsible for enforcing local security policies and it validates users for local and remote sign-ins. To retrieve Windows credentials, threat actors typically dump the memory of the LSASS process on compromised devices.
Microsoft previously released several security features (such as Credential Guard) to block access to the LSASS process. However, some organizations haven’t enabled this feature yet because it may cause conflicts with applications or device drivers.
Microsoft Defender to get an Attack Surface Reduction (ASR) rule
As noted by Bleeping Computer, Microsoft is planning to address this issue by turning on the Attack Surface Reduction rule by default in Microsoft Defender. Once enabled, the feature will prevent malicious processes with admin privileges from dumping the memory of the LSASS process. Security researcher Kostas noticed that Microsoft quietly updated the ASR rules documentation last week to reflect this change.
“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured,” the company explained on a support page.
Microsoft noted that it has implemented an additional filtering logic in the ASR rule that should help to reduce end-user notifications. It’s also possible for users to override the default value by configuring the rule to one of these modes: Audit, Warn, or Disabled.
It is important to note that the new ASR feature can only protect Windows PCs with Microsoft Defender installed as the default antivirus. However, this setting is automatically disabled as soon as a third-party antivirus product is installed on the same device. Bleeping Computer reports that some researchers bypassed the ASR rules by exploiting the Microsoft Defender exclusion paths.
Nevertheless, cybersecurity experts believe that the new default behavior regarding the ASR feature is a welcome change that can help to prevent credential theft. “It’s something we have asked for years (decades?). It’s a good step and I’m very happy to see that + Macro disabled by default when coming from the Internet. We now start to see measures really related to real world attacks,” Mimikatz developer Benjamin Delpy said in a statement to Bleeping Computer.
More in Windows Client OS
How to Easily Edit the Hosts File in Windows 11
Jan 12, 2023 | Russell Smith
Microsoft's January Patch Tuesday Updates Fix 98 Windows Vulnerabilities
Jan 11, 2023 | Laurent Giret
How to Use Windows File Recovery to Recover Lost Files
Dec 12, 2022 | Michael Reinders
How to Enable Windows 11 Config Lock on Secured-Core PCs
Dec 2, 2022 | Dean Ellerby
How to Install Google Drive for Desktop (Install & Set Up)
Nov 23, 2022 | Rabia Noureen
How to Use Local Administrator Password Solution (LAPS) with Active Directory and Azure AD
Nov 14, 2022 | Michael Reinders
Most popular on petri