How to use credential guard in Windows 10
One of the proverbial gems in the crown of a successful attack is user credentials, and it is understandable why. Once an attacker has a compromised system’s credentials, most of the actions in furtherance of the attack can be performed without a high risk of detection.
A major vulnerability of previous Windows systems has been solved with Windows Defender Credential Guard. This article will detail how to use Credential Guard in Windows 10, including what Credential Guard is, Credential Guard prerequisites, the problem that Credential Guard solves, what Credential Guard brings to the table, how to manage Credential Guard and further considerations.
Learn Windows 10 Host Security
What is credential guard?
Windows Defender Credential Guard is a new security platform available in Windows 10. This new feature moves the information security field away from the days of questionable credential storage to the world of virtualization.
The easiest thing about using the Credential Guard feature is that once it is properly enabled, the feature will start working. Management is straightforward and simple: a few clicks into Group Policy and you’ll be up and running.
Credential guard prerequisites
- Windows 10 Enterprise, Windows Server 2016, Windows Server 2019
- UEFI without CSM enabled
- 64-bit Windows
- Secure Boot enabled
- Processor with both virtualization extensions and Secondary Level Address Translation
- TPM recommended (not required)
- Hyper-V turned on in Windows Features
What problem does Credential guard solve and how?
As mentioned above, there was an inherent problem with the way that credentials are stored on Windows systems before Windows 10 debuted Credential Guard (even some early Windows 10 versions). This is that Windows stores credentials in hash stores within the system’s Local Security Authority, or LSA, in memory.
This is an attractive target for attackers, who can gain access to the operating system and then access the LSA in credential theft attacks including Pass-the-Ticket and Pass-the-Hash. Once this happens, the attackers have the proverbial keys to your castle and the rest of your operating system.
Credential Guard solves this by storing credentials, Kerberos Ticket-Granting Tickets and NTLM password hashes as domain credentials with the combined effort of virtualization-based security and the isolated LSA process. It uses Virtual Secure Mode (VSM) where CPU virtualization extensions provide protection for areas of memory by creating a bubble of key process isolation apart from the regular operating system. This means that your operating system cannot read information on the VSM, effectively solving the problem of LSA stored credentials.
What does Credential Guard bring to the table?
OK, so you understand that Credential Guard protects credentials by storing them in a virtual environment where attackers and malicious hackers cannot access them even if they’ve made it into your operating system. Below is a summary of what Credential Guard brings to the table.
Credential Guard provides the following security features and solutions:
- Hardware security: Credential Guard’s platform security features protect NTLM, Kerberos and Credential Manager over and above previous security features by using virtualization and Secure Boot to leverage protection capabilities
- Virtualization-based security: App credentials, Windows NTLM, Kerberos-derived credentials and other user secrets are isolated from the operating system by running in a protected virtual environment
- Enhanced advanced persistent threat protection: When credentials and other secrets are protected by virtue of virtualization-based security, attacker techniques and tools commonly used to target systems are blocked. Even malware with administrative privileges in your operating system will not be able to extract credentials and secrets in the virtual environment
Managing Credential Guard in Windows 10
As mentioned earlier, using Credential Guard is easy in Windows 10. All you have to do is enable it properly and then it’s off to the races.
It should be noted that if your system already has Windows Sandbox enabled, your Credential Guard will be enabled by default. For those that do not have Windows Sandbox enabled, the following steps will enable it with Group Policy.
- Within Group Policy Editor, navigate to Computer Configuration → Administrative Templates → System → Device Guard
- Enable “turn on virtualization-based security”
- Under Select Platform Security Level, use the drop-down menu and select Secure Boot
- Click Apply and OK
- Force a Group Policy update (optional)
Credential Guard considerations
- If Credential Guard is enabled, older authentication protocols will not be useable, including NTLMv1, CredSSP, Digest and MS-CHAPv2
- Scheduled tasks that use stored credentials will fail if Credential Guard is enabled
- Windows 10 systems with Citrix applications installed will experience high CPU usage if Credential Guard is enabled
- DES encryption and unconstrained delegation are not allowed if Credential Guard is enabled
- Virtualization-based security protects its key with TPM: if the TPM is cleared, then protected information cannot be decrypted
- Java GSS API authentication will fail
- Credential Guard will not protect Windows server credential input pipelines
Conclusion
Windows 10 is the first version of Windows to offer next-generation credential protection with Credential Guard. Rather than storing credentials and secrets in the system’s memory (LSA), Credential Guard stores them in a virtual environment. This prevents attackers from accessing them with contemporary attack tools and techniques.
Credential Guard is a solid security enhancement and it is not likely to go away anytime soon, at least until attackers adapt.
Learn Windows 10 Host Security
Sources
- Windows 10 Credential Guard – Secure Your Hashes, MS Expert Talk
- Defender Credential Guard: Protecting Your Hashes, Insider Threat Security Blog
- Windows 10 Device Guard and Credential Guard Demystified, Ash’s Blog (blogs.technet.microsoft.com)
- Protect derived domain credentials with Windows Defender Credential Guard, Microsoft