What is Credential Guard
Credential Guard is a
virtualization-based isolation technology which prevents attackers from
stealing credentials that could be used for pass the hash attacks, Attackers
often attempt to extract any stored credentials. A prime target is the
LSASS.exe process, which stores NTLM and Kerberos credentials. Credential Guard
prevents attackers from dumping credentials stored in LSASS by running LSASS in
a virtualized based container that even a user with highest privileges cannot
access,Thus preventing the stealing of the credentials.
Credential
Guard Requirements (Software and Hardware)
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Windows 10 ,Windows 2016 or above.
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:
- 64-bit CPU
- CPU virtualization extensions plus extended page tables
- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM, Below are the requirement to run Credential Guard in a Hyper-V VM.
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
Application compatibility with Credential guard
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility.
Note: Enabling Windows Defender Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which integrate
with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. Windows Defender Credential Guard does not provide protections
for the Active Directory database or the Security Accounts Manager (SAM).
Enable
Windows Defender Credential Guard by using Group Policy
You can use Group Policy to enable Windows Defender Credential Guard.
- Open Group Policy Management Console, Edit a Group Policy object and go to Computer Configuration -> Administrative Templates -> System -> Device Guard.
- Double-click Turn On Virtualization Based Security, and then click the Enabled option.
- In the Select Platform Security Level box, choose Secure Boot or Secure Boot and DMA Protection.
- In the Credential Guard Configuration box, click Enabled with UEFI lock, and then click OK. If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled without lock.
To enforce processing of the group policy, you can run the command gpupdate /force
Enable Credential Guard using Device Guard and Credential Guard hardware readiness tool
Device Guard and Credential Guard hardware readiness tool is a complete package which allows you to enable/disable/check the status of Credential Guard
and Device Guard. This tool can be downloaded from this link, This is a Powershell script which has the checks written in it and it does the job for you without
the need for you to manually make any changes.
Note: If Execution-Policy is not already set to allow running script, then you should manually set it as below and then use the readiness script:
Set-ExecutionPolicy Unrestricted
How to read the output of the Script:
- Red Errors: Basic hardware/firmware features are missing that will prevent enabling and using DG/CG.
- Yellow Warnings: This device is capable of running DG/CG, but some additional security qualifications are absent. To learn more, please go through: https://aka.ms/dgwhcr
- Green Messages: This device is fully compliant with DG/CG requirements.
To Verify if this device is Credential Guard Capable/Whether Credential Guard can be enabled or not, Please run the below command.
DG_Readiness.ps1 -Capable -CG
To enable only Credential Guard only, Please run the below command.
DG_Readiness.ps1 -Enable -CG
To Verify if Credential Guard is enabled, Please run the below command.
DG_Readiness.ps1 -Ready -CG
Note: It is recommended to reboot the machine after the script is run so that Credential guard related settings can be applied.
Verify that Credential Guard is running using msinfo32
You can view System Information to check that Windows Defender Credential Guard is running on a system.
- Click Start, type msinfo32 and then click System Information.
- Click System Summary.
- Confirm that Credential Guard is shown next to Virtualization-based security Services Configured.
Verify Credential guard is running using Powershell
You can verify whether Credential Guard is enabled or not by running the below Powershell command.
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
Value of SecurityServicesConfigured field indicates whether the Credential Guard or HVCI service has been configured.
- 0 value for SecurityServicesConfigured indicate no services configured.
- 1 value for SecurityServicesConfigured indicate Credential Guard is configured.
- 2 value for SecurityServicesConfigured indicate HVCI is configured.
Note: Presence of both the value 1 and 2 for the field SecurityServicesConfigured indicate that both Credential Guard and HVCI is enabled.