Clone this wiki locally
The Windows Credentials content aims to inform administrators of what is at stake if a specific endpoint becomes compromised. It consists of just one fixlet and one action but can save an organization a tremendous amount of trouble when assessing a stolen or compromised device.
The steps to begin using the Windows Credential Leak content is to:
- Action the Credential Probe Fixlet (no passwords ever viewed or stored by the fixlet) as a policy action
- Enable the Windows Credentials Analysis
Action the Credential Probe Fixlet
To begin assessing the risk of a Windows endpoint loss you should create a policy action with Fixlet: Invoke - Windows Cached Credentials Probe - Windows
These should be actioned to reapply whenever relevant waiting whatever time span you consider to be an acceptable age of the data regarding Windows Credentials. The system impact for these fixlets is minimal so applying even hourly is fine.
Enable the Windows Credentials Analysis
To gather the data from the probe simply activate Analysis: Credentials - Cached Login Creds - Windows
There are warning fixlets that point out potentially insecure configurations related to credentials. If these are relevant in your environment carefully consider the description of the fixlet before proceeding.