Why You Need Credential Guard
Security is an ever increasingly important part of our everyday lives. Traditional approaches such as the use of credentials now only offer a limited amount of protection. Once credentials are compromised, who knows what damage the bad guys can do.
Wouldn’t it be good if there was a way of safeguarding your credentials baked into the actual operating system (OS) of the computer you are using? Even better, what if the OS itself could prevent anything untoward happening if it detects something is not quite right?
Well, such a system does exist, and it is called Window Defender Credential Guard (referred to as Credential Guard from here on in). Credential Guard works by segregating a part of the Local Security Authority (LSA) service to help mitigate pass-the-hash and pass-the-ticket attacks.
As background, a pass-the-hash attack is where an attacker uses the underlying NTLM and/or LanMan hash of a user’s password to authenticate to a remote server/service instead of requiring the actual password.
A pass-the-ticket attack on the other hand, is where an attacker uses the Kerberos Ticket Granting Ticket of a user recently logged into the domain to authenticate to a Windows server, gaining access to all servers and other resources for which the user has privileges.
What Can Credential Guard Do?
Now virtualization technologies such as Microsoft’s Hyper-V are nothing new. And one of the cool things that virtualization technologies such as Hyper-V allow us to do is to segregate certain operations to specific virtual machines. Not only does this spread the load, but it is also is an effective way to reduce contagion. If one VM is comprised, the host and the other VMs almost certainly are not. (The “almost certainly” leaves room for extreme circumstances such as potential Meltdown/Spectre exploits that can cross VMs.)
Now wouldn’t it be good if we could leverage this same technology to isolate core OS services themselves, but in the actual OS of a computer such as Windows 10?
Guess what? In Windows 10 you can. This technology is known as virtualization-based security (VBS). What this means is even if the kernel mode of the host OS is compromised, the core operating system services themselves cannot be manipulated.
Now this VBS environment consists of two services:
- The Hypervisor Code Integrity (HVCI) service – Determines if code executing in kernel mode is trustworthy and securely designed.
- The Local Security Authority (LSA) service – Manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms.
Is Credential Guard Just a Software-Based Solution?
No. Like many of the new security features in Windows 10, Credential Guard uses a combination of hardware and software, and had the following requirements:
- UEFI firmware version 2.3.1 or higher and Secure Boot
- Virtualization extensions
- Intel VT-x or AMD-V
- Second Level Address Translation (SLAT)
- A VT-d or AMD-Vi IOMMU (Input/output memory management unit)
- Trusted Platform Module (TPM) version 2.0
- Secure firmware update process
- Firmware updated for Secure MOR implementation (required to help prevent certain memory attacks)
- Physical PC if you are running Windows 10 version 1507 or 1511
- Virtual machine (Generation 2) if you are Windows 10 version 1607 or newer
- Virtualization extensions
How Much Is This Going to Cost?
Probably one of the first questions you are going to have to answer from management is how much is all of this going to cost? Well, like most IT-related projects there are both material and resource costs when it comes to implementing Credential Guard.
From the material side, any machines on which you want to be able to use Credential Guard must meet the hardware and software requirements.
You also need to understand the implications of enabling Credential Guard. Enabling it will restrict which features and software can be used on a machine. For example, you cannot use Windows To Go on a machine where Credential Guard has been enabled as it uses hardware security.
Microsoft highly recommends that organizations move away from using passwords. Instead, they should look to implement other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
Microsoft also recommends you to review which authentication methods you are using for your WiFi/VPN and look to implement certificate-based authentication such as PEAP-TLS or EAP-TLS.
Obviously, all these require research, evaluation, testing, piloting, deploying, documenting, on-going support, etc. which is going to require sufficient, qualified resources and their associated costs.
The Devil Is in the Detail
Of course, implementing any new technology has some degree of risk. In the case of Credential Guard, the biggest thing you can do to reduce this risk is to remember that Credential Guard is a hardware and software solution. Therefore, to get the best out of it and for the best level of protection deploy both the hardware and software components of the Credential Guard solution.
It is important to understand that implementing Credential Guard will not protect all of the credentials on a computer. Examples include credentials outside of Windows feature protection, those used by local accounts, or Microsoft accounts, and those stored in software that manages passwords.
Is it also critical when trying to understand the value of implementing Credential Guard throughout your organization that you understand where and how credentials are stored.
Gently Does It
Microsoft recommends you avoid a “big bang” approach to deploying Credential Guard.
Instead, Microsoft’s (and my personal) recommendation, is you should start with a limited pilot group of computers for your initial deployment of Credential Guard. Ideal candidates for this are either new hires, employees whose computer is being upgraded, or those whose computer is being re-imaged.
Why? Because Microsoft recommends enabling Credential Guard on a computer before it is joined to a domain to prevent the user and device secrets from being compromised.
You should also look to use security audit policies or WMI queries to perform regular reviews of PCs where Credential Guard has been implemented.
As mentioned in my recent Device Guard blog (and restated here because of its potential impact), enable any hardware-based virtualization-based security (VBS) features. This will help strengthen the code integrity policies; however, please make sure you test these in a lab. If they are incorrectly configured they can cause a blue screen of death/data loss.
As with most things in life, it’s usually better to learn from someone who has already done something and hopefully learned from their mistakes, rather than going into the unknown and hoping for the best.
Credential Guard is no exception.
First off, to make your life easier in checking if your proposed hardware is ready for Credential Guard (and Device Guard), Microsoft have released the Device Guard and Credential Guard hardware readiness tool (https://www.microsoft.com/en-us/download/details.aspx?id=53337). This tool can also enable/disable them as well.
Next, as Credential Guard relies on the security of the underlying hardware and firmware, it is vital you keep your firmware updated with the latest security fixes. To verify your firmware complies with the secure firmware update process use the System.Fundamentals.Firmware.UEFISecureBoot Windows Hardware Compatibility Program requirement.
Following on from this, to verify your firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can use the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby Windows Hardware Compatibility Program requirement.
Finally, my fellow MVP Nickolaj Andersen has written a PowerShell script that will enable Credential Guard during Windows 10 deployment using ConfigMgr OSD (a link is included in the Useful Resources section).
If the kernel mode of the host operating system is compromised, the core operating system services can also be manipulated. This is one of the biggest potential risks to your users, their devices, your network, and ultimately your organization.
Why take this risk when you have Credential Guard in your defense arsenal to help protect you?
I created some detailed information to help you with Credential Guard and other key security features in a Windows 10 Security Design Decision Guide. It helps you decide which features need to be deployed where, and how to configure them correctly for different endpoints. The guide covers five critical Windows 10 security features correctly, including Credential Guard.
The following table contains a list of useful resources that contain more information on Credential Guard.
About Cliff Hobbs
The author of this blog is Cliff Hobbs, a 14-time Microsoft MVP in Enterprise Mobility (SCCM + Intune), and founder of FAQShop.