Microsoft Windows Defender Credential Guard is a security feature that isolates user credentials from the rest of the operating system to prevent theft.
Microsoft introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016. When Credential Guard is active, privileged system software is the only thing that can access user credentials. It is particularly effective against pass-the-hash attacks because it protects NT LAN Manager (NTLM) password hashes and Kerberos ticket-granting tickets. Microsoft Windows Defender Credential Guard stores random full-length hashes to combat trial-and-error threats such as brute-force attacks. Additionally, Credential Guard protects all credentials that applications store as domain credentials.
How Skullcap Credential Works
Microsoft Windows Defender Credential Guard uses virtualization to store credentials in protected containers separate from the operating system. Therefore, information protected by Credential Guard is secure even if malware or other malicious attack enters an organization’s network.
In Windows 10, the Local Security Authority (LSA) is responsible for validating users when they sign in. When Credential Guard is active, Windows 10 stores credentials in an isolated LSA, which contains only the signed, certified, and virtualization-based security binaries it needs to keep credentials secure. The isolated LSA communicates with the normal LSA via remote procedure calls and commits each binary before releasing a file inside the protected area.
IT can enable Credential Guard using Group Policy, the Windows Registry, or the Windows Defender Device Guard and Windows Defender Credential Guard Hardware Readiness Tool, which determines whether a device can manage Credential Guard.
Windows Credential Guard requirements and limitations
For Credential Guard to work, the device must support virtualization-based security and have secure boot features. Virtualization-based security only works if the device has a 64-bit processor, processor virtualization extensions and extended page table, and Windows hypervisor. The device must also include Trusted Platform Module (TPM) 2.0 and the Unified Extensible Firmware Interface lock.
Credential Guard can work on virtual machines in the same way as on physical machines. To run in a VM, however, it must be a Generation 2 VM with TPM enabled. Additionally, the Microsoft Hyper-V host must be running at least Windows Server 2016 and Windows 10 version 1607 and have an I/O memory management unit.
Applications that require certain authentication features, including Kerberos Data Encryption Standard encryption support, Kerberos unconstrained delegation, and NTLMv1, will be broken because Credential Guard does not allow them. Not all applications using Digest Authentication, Credential Delegation, and Microsoft Challenge Handshake Authentication Protocol version 2 will be fully protected by Credential Guard.
Microsoft Windows Defender Credential Guard cannot support domain controller, Active Directory database, or security account manager credential protection. It also doesn’t work with some third-party security tools because it won’t share password hashes with third-party products. Also, some user credentials will no longer work after a Windows 10 update.
Comments are closed.