Skip to content

Commit 71bc31b

Browse files
paulinbarpaulinbar
authored
Update date and default state for LSASS rule
Corrected incorrect statement about default value.
1 parent 84ffc40 commit 71bc31b

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

defender-endpoint/attack-surface-reduction-rules-reference.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ ms.collection:
1515
- m365-security
1616
- tier2
1717
- mde-asr
18-
ms.date: 10/20/2025
18+
ms.date: 11/01/2025
1919
search.appverid: met150
2020
appliesto:
2121
- Microsoft Defender for Endpoint Plan 2
@@ -333,7 +333,7 @@ This rule helps prevent credential stealing by locking down Local Security Autho
333333

334334
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
335335

336-
By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that aren't needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which then succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see [Process Security and Access Rights](/windows/win32/procthread/process-security-and-access-rights).
336+
By default the state of this rule is set to *not configured* (disabled). In most cases, many processes make calls to LSASS for access rights that aren't needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which then succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see [Process Security and Access Rights](/windows/win32/procthread/process-security-and-access-rights).
337337

338338
Enabling this rule doesn't provide additional protection if you have LSA protection enabled since the ASR rule and LSA protection work similarly. However, when LSA protection can't be enabled, this rule can be configured to provide equivalent protection against malware that target `lsass.exe`.
339339

0 commit comments

Comments
 (0)