Once attackers get into a system, they often want to elevate privileges or do credential harvesting. One way they do this is by finding a WDigest legacy authentication protocol left forgotten and open on servers. On Windows Server prior to Server 2012 R2, WDigest credential caching is enabled by default. When it is enabled, Lsass.exe retains a copy of the user’s plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.
Setting the UseLogonCredential value to 0 tells WDigest not to store credentials in memory. This value is not by default set up on a Server 2008 R2 system. To add it, scroll down to HKEY local machine to the value noted, right-click on “New,” then “Add a Dword 32-bit value,” and add the UseLogonCredential.
Adding this registry key clears passwords from memory:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersWDigestLogonCredential
Add a REG_DWORD of 0
