Join Pete Zerger for an in-depth discussion in this video Manage Credential Guard, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Unauthorized access to secret, stored in memory can lead to credential theft attacks such as pass-the-hash or pass-the-ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By default, the hash of any password you've used on a system, whether it's the one you used to log into the computer, or you right-clicked and selected run as is stored in memory on encrypted.
Although separate from Device Guard, the Credential Guard feature also leverages virtual secure mode by placing an isolated version of the local security authority, the LSA or LASS process under its protection. The LSA performs a number of security sensitive operations, the main one being the storage and management of user and system credentials, hence the name Credential Guard. Credential Guard isolates and hardens key system and user secrets against compromise helping to minimize the impact and the breadth of the pass-the-hash style attacks in the event that malicious code is already running locally, or on the trusted network.
It works by effectively isolating the process that manages the credentials in an isolated, protected run space. Remote credential guard actually extends this concept to protect user credentials in remote desktop connections. Credential Guard is enabled by configuring virtual secure mode and configuring the virtualization base security group policy setting with Credential Guard configured to be enabled. The enabled with UEFI Lock option prevents remotely disabling Credential Guard.
Once this is done, you can easily check if the Credential Guard feature is enabled by launching the system information applet MS info 32, and viewing the device guard setting shown here. You can also check for the presence of the LSA ISO process which is running in virtual secure mode. Credential Guard brings multiple security-related features to the table, including hardware security where Kerberos and credential manager take advantage of platform security features including secure boot and virtualization to protect credentials.
Virtualization Based Security, where Windows NTLM and Kerberos derive credentials and other secrets run in a protected environment that's isolating them from the running operator system. Better protection against advanced persistent threats. When credential manager, domain credentials, NTLM, Kerberos derive credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are now blocked. Now we're running in the operating system with administrative privileges can't extract secrets that are protected by VBS.
To provide basic protections against OS level attempts to read credential manager domain credentials, Credential Guard requires a number of prerequisites. Virtualization-based security support is required, Secure boot is required, a trusted platform module or TPM is required, minimum version 1.2, and the firmware option is preferred as that provides binding to the hardware. UEFI lock is not required, but it's definitely preferred as it prevents attackers from disabling Credential Guard with a simple registry check.
It's important to note there are a few scenarios where Credential Guard will actually break existing functionality present in a typical enterprise. Specifically, unconstrained delegation. Credential Guard doesn't allow unconstrained Kerberos delegation NTLMv1, MS-CHAP, or Digest. Kerberos DES encryption is also disallowed, and most commonly, Wi-Fi, CHAPv2 with peep must be flipped to use certificate based authentication it it's expected to continue functioning.
Basically Credential Guard disallows a variety of less than secure configurations involving legacy protocols. So while Credential Guard is a powerful litigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate Device Guard and other security strategies into your architecture as part of a layered defense.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure