News

Microsoft adds feature to Defender that prevents password dumps in LSA

By admin
Spread the love

Microsoft is adding a feature to Defender that can block Local Security Authority Server Service processes. This closes an important method of leaking passwords from Windows.

It concerns an Attack Surface Reduction rule that Microsoft is adding to Defender. This ensures that attackers can no longer make memory dumps from Lsass or Local Security Authority Server Service. The Local Security Authority is a service in Windows that authenticates users when logging in, but attackers can exploit that by extracting plaintext passwords and NTLM hashes via a memory dump. The new feature prevents that.

Normally, Defender’s built-in Credential Guard feature prevents such a dump. Microsoft has now added a new rule that works even when Credential Guard is disabled. This often happens in companies because Credential Guard can lead to problems with smart card drivers or other software. The new rule prohibits all processes from accessing lsass.exe, even if they have admin rights.

The feature will now be enabled by default for all users. They can turn it off manually. All other ASR rules remain disabled by default according to Microsoft. Microsoft warns that companies may get more notifications in their logs about blocked login attempts from other processes. The company says it has implemented additional filtering rules that reduce the number of reports.

You might also like
News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Microsoft and Activision Blizzard postpone acquisition deadline until October

News

Microsoft announces Bing Chat Enterprise and Copilot pricing for businesses

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

‘Microsoft wants to postpone deadline for Activision Blizzard…