Windows-itpro-docs: Block credential stealing from the Windows local security authority subsystem (lsass.exe) vs Credential Guard

Hello @zerrikan. Thank you for posting your question. Can you please tell us to which article this applies? This information will help us route the issue to the correct writer/team.

Hello, sorry for not including that. Below is the article:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

@zerrikan My understanding is that Credential Guard uses the same principle, but it does more than what that specific ASR rule does. As the article also states, the ASR Rule can be used in scenarios where Credential Guard cannot be enabled, for whatever reason.

This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).

LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

Thank you! I assume that windows defender has to be enabled for this to function as well?

Thank you! I assume that windows defender has to be enabled for this to function as well?

Correct -> https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq#does-asr-support-third-party-security-solutions

Does ASR support third-party security solutions?
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.