STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Defender Antivirus Security Technical Implementation Guide

V-278648

CAT II (Medium)

Microsoft Defender AV must block credential stealing from the Windows local security authority subsystem.

Rule ID

SV-278648r1190728_rule

STIG

Microsoft Defender Antivirus Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-001170

Discussion

This policy setting helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).

Check Content

Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Microsoft Defender Exploit Guard >> Attack Surface Reduction >> Configure Attack Surface Reduction rules is set to "Enabled".

Procedure: Use the Windows Registry Editor to navigate to the following key: 
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules

Criteria: If the value "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" is REG_SZ = 1, this is not a finding.

If the value is other than 1, this is a finding.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Microsoft Defender Exploit Guard >> Attack Surface Reduction >> Configure Attack Surface Reduction rules to "Enabled".

Under the policy option "Set the state for each ASR rule:", then click "Show".

Enter GUID "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" in the "Value Name" column.

Enter "1" in the "Value" column.