Windows Credentials

strawgate edited this page May 3, 2016 · 1 revision
Clone this wiki locally

Overview

The Windows Credentials content aims to inform administrators of what is at stake if a specific endpoint becomes compromised. It consists of just one fixlet and one action but can save an organization a tremendous amount of trouble when assessing a stolen or compromised device.

The steps to begin using the Windows Credential Leak content is to:

  1. Action the Credential Probe Fixlet (no passwords ever viewed or stored by the fixlet) as a policy action
  2. Enable the Windows Credentials Analysis

Implementation

Action the Credential Probe Fixlet

To begin assessing the risk of a Windows endpoint loss you should create a policy action with Fixlet: Invoke - Windows Cached Credentials Probe - Windows

These should be actioned to reapply whenever relevant waiting whatever time span you consider to be an acceptable age of the data regarding Windows Credentials. The system impact for these fixlets is minimal so applying even hourly is fine.

Enable the Windows Credentials Analysis

To gather the data from the probe simply activate Analysis: Credentials - Cached Login Creds - Windows

Warnings

There are warning fixlets that point out potentially insecure configurations related to credentials. If these are relevant in your environment carefully consider the description of the fixlet before proceeding.