Windows Credential Theft Mitigation Guide Abstract

This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the Microsoft Download Center. This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:

  • Identify high-value assets
  • Protect against known and unknown threats
  • Detect pass-the-hash and related attacks
  • Respond to suspicious activity
  • Recover from a breach

Security stages.

Attacks that steal credentials

Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk. The types of attacks that are covered include:

  • Pass the hash
  • Kerberos pass the ticket
  • Kerberos golden ticket and silver ticket
  • Key loggers
  • Shoulder surfing

Credential protection strategies

This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers. You'll learn how to architect a defense against credential theft:

  • Establish a containment model for account privileges
  • Harden and restrict administrative hosts
  • Ensure that security configurations and best practices are implemented

Technical countermeasures for credential theft

Objectives and expected outcomes are covered for each of these countermeasures:

  • Use Windows 10 with Credential Guard
  • Restrict and protect high-privilege domain accounts
  • Restrict and protect local accounts with administrative privileges
  • Restrict inbound network traffic

Many other countermeasures are also covered, such as using Microsoft Passport and Windows Hello, or multifactor authentication.

Detecting credential attacks

This sections covers how to detect the use of stolen credentials and how to collect computer events to help you detect credential theft.

Responding to suspicious activity

Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.