MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output:

The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. 
These updates are needed to improve the protection against possible credential theft.
- For Windows 7 / 2008 R2 :
KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 (if KB2592687 is installed) or KB2984981 (if KB2830477 is installed).
- For Windows 8 / 2012 :
KB2973501, KB2871997, and KB2973351 are required.
- For Windows 8.1 / 2012 R2 :
KB2973351 (if Update 1 is installed) or KB2975625 (if Update 1 isn't installed).
These updates provide additional protection for the Local Security Authority (LSA), add a restricted administrative mode for Credential Security Support Provider (CredSSP), 
introduce support for the protected account-restricted domain user category, enforce stricter authentication policies, add additional protection for users' credentials, and add a restricted administrative mode for Remote Desktop Connection and Remote Desktop Protocol.
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

A required registry setting is missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0
More information:

Manual verification

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential"


REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /f /v "UseLogonCredential" /t REG_DWORD /d 0x0

Fix via Group Policy

Create a Group Policy registry preference:

Or via the Pass the Hash mitigations security templates

You can download the admx files here:

Check via Nessus Auditfile

 description : "CCE-38444-6:Set 'WDigest Authentication' to 'Disabled'"
 value_type : POLICY_DWORD
 reg_key : "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"
 reg_item : "UseLogonCredential"
 value_data : 0
 reg_option : CAN_NOT_BE_NULL