Protect credentials - Windows Server Tutorial

- [Narrator] Credentials are like the keys to an account. Attackers are always attempting to harvest these credentials when compromising a network. So, you really want to make sure you do whatever you can to help protect those credentials from being harvested. There's a few different things that you can do and one is something called credential guard. Now credential guard uses a virtualization based security that allows you to isolate secrets, such as cash credentials, so that only specially privileged system software can access them. In virtualization based security specific processes and the memory associated with those processes belong to a separate operating system and this operating system runs in parallel with, but is independent of, the host operating system. This other operating system will then protect these processes from attempts by any external entity to read information that those particular processes store and use. So let's take a quick look at how we would configure credential guard. Now the first thing I will tell you is credential guard does required Windows server 2016 or Windows 10, alright. So here, I do want to take us over to a Windows server 2016 domain controller. Alright, so I have DC1, let's go there now. Here in there server manager on DC 1 what I'm gonna do is I'm gonna go up to the tools menu and I wanna select group policy management because this is all gonna be managed through group policy settings. Here in group policy management I'm just gonna go ahead and expand my way down until I find any policy. So here I have my default domain policy. I'm gonna right click and I'm gonna edit. And I'm doing this for the purposes of showing you where to go. Group policies are very often you wanna create your own separate group policies depending on what action you're performing. So here in the Group Policy Management editor the first thing I'm gonna do to enable credential guard is I have to configure a setting called turn on virtualization based security. Alright, now where do I find that? Well I find that under computer configuration, policies, administrative templates, system, and I'm gonna move this bar over so we can see how we're making our way down. Inside system we have device guard. Then here you will see there's a setting for turn on virtualization based security. If I double click to go into it and I enable it you'll see down at the bottom of this window on the left hand side you have credential guard configuration. I can go ahead and I can enable it, either with UEFI lock or without the lock. So what does that mean? Well, let me scroll down the little help window here to the bottom and you'll see here that it says that if you enable it with the UEFI lock this will ensure that the credential guard cannot be disabled remotely. In order to disable it you have to set the group policy that we're looking at right now to disabled and remove the security functionality from each computer with a physically present user. If you enable it without the lock this option allows the credential guard to be disable remotely, okay. So that's the difference is whether you want to require somebody locally or whether it can be disabled remotely. Alright, so that's how you would turn on credential guard. So what else can we do? Well, another thing that we could do is we could do something called NTLM blocking. The NTLM authentication protocol is much less secure than Kerberos. Okay, so we may want to block the use of the older, more antiquated authentication. So the first thing that we wanna do, let me go ahead and jump into here back to computer configuration policies, but instead of going to administrative templates, this time I'm gonna go to windows settings. Then I'm gonna jump down to security settings and I'm gonna expand local policies and click on security options. Inside my security options if I scroll down you'll see here there's a bunch of setting for network security and they're all related to restrict NTLM. Now the first thing that I recommend you do before you actually restrict it is I recommend that you audit any NTLM authentication to see if anything happens, alright. So there's three places you can do this, one is this last one here that says restrict NTLM outgoing NTLM traffic to remote servers. If I go into that one and define it, even though it says that you're restricting it, if you pull this down here you'll see that you can select audit all. So I can choose to audit if there's any outgoing NTLM traffic. I want you to know I'm hitting cancel here only because I'm not actually configuring this here I'm just showing you where each of the setting are. The other thing you can do is when it comes to incoming there's an actual setting for audit incoming NTLM traffic. So we can go in there, define the policy, and you can enable it for your domain accounts or even all accounts if you want to. From there we also have audit NTLM authentication in the domain, where again you can enable it for domain accounts, to domain servers, for all domain accounts, for all domain servers, or for all period. So that's how you can go ahead and audit to see if you are currently using NTLM. To actually restrict it we're gonna jump down to this setting right here that says restrict NTLM, NTLM authentication in this domain. When I go in here I can define this policy setting and then I have a list here where I get to choose either deny for domain accounts to domain servers, which is denying all NTLM authentication sign in attempts for all servers in the domain that use domain accounts. We can deny for domain accounts which denies all NTLM authentication attempts for domain accounts, versus domain servers which means it's gonna deny the NTLM authentication for all servers in the domain. Or we can even deny all which ensures that all NTLM pass through authentication request for servers and accounts will be denied period, across the board. So, that's how we can actually disable the use of NTLM and force Kerberos authentication everywhere in the domain. Alright, so there's one other thing I wanna show you and I'm actually gonna close my group policy editor 'cuz it's not in there. We can close group policy management all together. I wanna show you something that's in a tool, I'm gonna jump back up to the tools menu here, in server manager, and it's in the active directory administrative center. Now this is a tool which is newer but it performs a lot of similar functions to active directory users and computers but it gives some added functionality. And one of the things that I want to point out is this ability to do a global search. There's a little down arrow here, over on the right, not the one up above where it talks about the scope but right below it. And here is where I can add some search criteria. And I wanna show you that there's some options here, it's a good idea to look at, to look out for problematic accounts. Okay, accounts that may be easily susceptible to having their credentials acquired for doing damage to your network. Here we have an option for users whose password has... I know it says an expiration date/no expiration date, the idea here is when you set up a user account you can actually put on their account that their password never expires. Those are very dangerous accounts, okay, because they just have a static password that never changes. So if you wanna search for accounts that have that you can do it right here. Another great example would be users with enabled accounts who have not logged on for more than a given number of days. So you could pick a number of days that makes sense to you. You might say hey, if I have an account here and nobody is logged into that account for 30 days, does that account still need to be in my network. Is this maybe a former employee. Maybe it's for a employee who had privileges and we need to get that out of there. These are the types of searches that we can do to go ahead and look for accounts that can be problematic. Alright, so I just wanted to show you that one nifty little component to the active directory administrative center. Because again, remember attackers are always going after users credentials so that they can use those credentials to gain access to your network. So you wanna watch for accounts that are problematic, who maybe don't need to be there anymore or need to be more secured and then from there you can do things like enable credential guard and you could make sure that they only use Kerberos and disable NTLM authentication.