Disable 'WDigest Authentication'

When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft.

Potential risk

Disabling this setting will prevent WDigest from storing credentials in memory.

Remediation options

Option 1 - Set the following registry value:

To the following REG_DWORD value: 0

Option 2 - Set the following Group Policy:
Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997)

To the following value: Disabled