noid-privacy/Modules/AdvancedSecurity/Config/Credentials.json

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Credential Protection Configuration",
  "description": "Configuration for credential hardening including WDigest protection",
  "version": "2.2.0",
  
  "WDigest_Protection": {
    "description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
    "enabled": true,
    "deprecated_in": "Windows 11 24H2",
    "status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",
    
    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
    "settings": {
      "UseLogonCredential": {
        "description": "Control whether WDigest stores credentials in memory",
        "value": 0,
        "type": "DWORD",
        "values": {
          "0": "Secure - Do NOT store plaintext credentials in memory",
          "1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"
        },
        "attack_prevention": [
          "Prevents Mimikatz from dumping plaintext passwords",
          "Prevents Windows Credential Editor (WCE) attacks",
          "Prevents other memory-dumping credential theft tools"
        ],
        "impact": "None - Modern systems (Win 8.1+) already default to 0"
      }
    },
    
    "default_behavior": {
      "Windows_7": 1,
      "Windows_8": 1,
      "Windows_8.1": 0,
      "Windows_10": 0,
      "Windows_11": 0,
      "Windows_11_24H2_plus": "Setting ignored (deprecated)"
    },
    
    "rationale": {
      "why_set_if_deprecated": [
        "Protects older Windows versions (Win7/8/Server 2008/2012)",
        "Protects early Win10/11 builds that may not be fully patched",
        "Defense-in-depth: Explicit is better than implicit",
        "Ensures compatibility in mixed environments",
        "No negative impact on Win11 24H2+ (setting is ignored)"
      ]
    },
    
    "microsoft_advisory": {
      "kb_article": "KB2871997",
      "date": "May 2014",
      "title": "Update to improve credentials protection and management",
      "url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
      "baseline_removal": {
        "version": "Windows 11 25H2 Security Baseline",
        "reason": "Engineering teams deprecated this policy in Windows 11 24H2",
        "url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"
      }
    }
  },
  
  "Profiles": {
    "Balanced": true,
    "Enterprise": true,
    "Maximum": true
  },
  
  "Compatibility": {
    "windows_versions": ["All Windows versions"],
    "notes": [
      "Setting is ignored on Windows 11 24H2+ (deprecated)",
      "No compatibility issues or breakage on any Windows version",
      "Recommended for all profiles for defense-in-depth"
    ]
  }
}
v2.2.0 - Complete Security Hardening Framework (632 Settings) 2025-12-08 10:32:49 +01:00			`{`
			`"$schema": "http://json-schema.org/draft-07/schema#",`
			`"title": "Credential Protection Configuration",`
			`"description": "Configuration for credential hardening including WDigest protection",`
			`"version": "2.2.0",`

			`"WDigest_Protection": {`
			`"description": "Prevent WDigest from storing plaintext passwords in LSASS memory",`
			`"enabled": true,`
			`"deprecated_in": "Windows 11 24H2",`
			`"status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",`

			`"registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",`
			`"settings": {`
			`"UseLogonCredential": {`
			`"description": "Control whether WDigest stores credentials in memory",`
			`"value": 0,`
			`"type": "DWORD",`
			`"values": {`
			`"0": "Secure - Do NOT store plaintext credentials in memory",`
			`"1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"`
			`},`
			`"attack_prevention": [`
			`"Prevents Mimikatz from dumping plaintext passwords",`
			`"Prevents Windows Credential Editor (WCE) attacks",`
			`"Prevents other memory-dumping credential theft tools"`
			`],`
			`"impact": "None - Modern systems (Win 8.1+) already default to 0"`
			`}`
			`},`

			`"default_behavior": {`
			`"Windows_7": 1,`
			`"Windows_8": 1,`
			`"Windows_8.1": 0,`
			`"Windows_10": 0,`
			`"Windows_11": 0,`
			`"Windows_11_24H2_plus": "Setting ignored (deprecated)"`
			`},`

			`"rationale": {`
			`"why_set_if_deprecated": [`
			`"Protects older Windows versions (Win7/8/Server 2008/2012)",`
			`"Protects early Win10/11 builds that may not be fully patched",`
			`"Defense-in-depth: Explicit is better than implicit",`
			`"Ensures compatibility in mixed environments",`
			`"No negative impact on Win11 24H2+ (setting is ignored)"`
			`]`
			`},`

			`"microsoft_advisory": {`
			`"kb_article": "KB2871997",`
			`"date": "May 2014",`
			`"title": "Update to improve credentials protection and management",`
			`"url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",`
			`"baseline_removal": {`
			`"version": "Windows 11 25H2 Security Baseline",`
			`"reason": "Engineering teams deprecated this policy in Windows 11 24H2",`
			`"url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"`
			`}`
			`}`
			`},`

			`"Profiles": {`
			`"Balanced": true,`
			`"Enterprise": true,`
			`"Maximum": true`
			`},`

			`"Compatibility": {`
			`"windows_versions": ["All Windows versions"],`
			`"notes": [`
			`"Setting is ignored on Windows 11 24H2+ (deprecated)",`
			`"No compatibility issues or breakage on any Windows version",`
			`"Recommended for all profiles for defense-in-depth"`
			`]`
			`}`
			`}`