Microsoft is adding a feature to Defender that can block local security authority server service operations. This closes an important way to leak passwords from Windows.

It’s about the attack surface reduction rule set by Microsoft Adds to Defender† This ensures that attackers do not do this memory dumps To be able to make more use of Lsass from Local Security Authority Server Service† Local Security Authority is a service in Windows that authenticates users at login, but attackers can abuse this by extracting plaintext passwords and nltm hashes via a memory dump. The new feature prevents this.

Defender’s built-in credential protection feature usually prevents such dump. Microsoft has now added a new rule that works even when Credential Guard is disabled. This often happens in companies because Credential Guard can lead to problems with smart card drivers or other software. The new rule prevents all processes from accessing lsass.exe, even if they have administrator rights.

The feature will now be enabled by default for all users. They can turn it off manually. All other ASR rules remain disabled by default according to Microsoft. Microsoft warns that companies may receive more notifications in their logs about blocked login attempts from other processes. The company says it has implemented additional filtering rules that reduce the number of reports.