Microsoft Defender to Block Credential Theft By Default on Windows PCs
Microsoft is getting ready to enable a new security feature in Microsoft Defender that should make it more difficult for threat actors to steal credentials from Windows PCs. The company says that the Attack Surface Reduction (ASR) security rule will help to prevent admin-level hackers from accessing the Local Security Authority Server Service (LSASS) process.
For those unfamiliar, the LSASS process is responsible for enforcing local security policies and it validates users for local and remote sign-ins. To retrieve Windows credentials, threat actors typically dump the memory of the LSASS process on compromised devices.
Microsoft previously released several security features (such as Credential Guard) to block access to the LSASS process. However, some organizations haven’t enabled this feature yet because it may cause conflicts with applications or device drivers.
Microsoft Defender to get an Attack Surface Reduction (ASR) rule
As noted by Bleeping Computer, Microsoft is planning to address this issue by turning on the Attack Surface Reduction rule by default in Microsoft Defender. Once enabled, the feature will prevent malicious processes with admin privileges from dumping the memory of the LSASS process. Security researcher Kostas noticed that Microsoft quietly updated the ASR rules documentation last week to reflect this change.
“The default state for the Attack Surface Reduction (ASR) rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” will change from Not Configured to Configured and the default mode set to Block. All other ASR rules will remain in their default state: Not Configured,” the company explained on a support page.
Microsoft noted that it has implemented an additional filtering logic in the ASR rule that should help to reduce end-user notifications. It’s also possible for users to override the default value by configuring the rule to one of these modes: Audit, Warn, or Disabled.
It is important to note that the new ASR feature can only protect Windows PCs with Microsoft Defender installed as the default antivirus. However, this setting is automatically disabled as soon as a third-party antivirus product is installed on the same device. Bleeping Computer reports that some researchers bypassed the ASR rules by exploiting the Microsoft Defender exclusion paths.
Nevertheless, cybersecurity experts believe that the new default behavior regarding the ASR feature is a welcome change that can help to prevent credential theft. “It’s something we have asked for years (decades?). It’s a good step and I’m very happy to see that + Macro disabled by default when coming from the Internet. We now start to see measures really related to real world attacks,” Mimikatz developer Benjamin Delpy said in a statement to Bleeping Computer.
More in Windows Client OS
The Top 10 Ipconfig Commands You Should Learn
May 27, 2022 | Michael Taschler
Microsoft Releases May 2022 Patch Tuesday Updates
May 11, 2022 | Laurent Giret
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
A Complete Guide to Robocopy
Apr 7, 2022 | Michael Reinders
11 Ways to Take a Screenshot on Windows Devices
Mar 30, 2022 | Siji Roy
How to Install Hyper-V on Windows Server Core
Mar 16, 2022 | Michael Reinders
Most popular on petri