How to detect and halt credential theft via Windows WDigest

How to detect and halt credential theft via Windows WDigest

Once attackers get into a system, they often want to elevate privileges or do credential harvesting. One way they do this is by finding a WDigest legacy authentication protocol left forgotten and open on servers. On Windows Server prior to Server 2012 R2, WDigest credential caching is enabled by default. When it is enabled, Lsass.exe retains a copy of the user’s plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.

To read this article in full, please click here

(Insider Story)

Support the originator by clicking the read the rest link below.