Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-73497 | WN16-CC-000030 | SV-88149r1_rule | Medium |
Description |
---|
When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced. |
STIG | Date |
---|---|
Windows Server 2016 Security Technical Implementation Guide | 2017-05-18 |
Check Text ( C-73571r1_chk ) |
---|
If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ Value Name: UseLogonCredential Type: REG_DWORD Value: 0x00000000 (0) |
Fix Text (F-79939r1_fix) |
---|
Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. |