Skip to main content

Week 8 [03.12-09.12.18] Credential Guard in Windows 10


Credential Guard

Security is an ever increasingly important part of our everyday lives. Traditional approaches such as the use of credentials now only offer a limited amount of protection. Once credentials are compromised, who knows what damage the bad guys can do.
Wouldn’t it be good if there was a way of safeguarding your credentials baked into the actual operating system (OS) of the computer you are using? Even better, what if the OS itself could prevent anything untoward happening if it detects something is not quite right?
Well, such a system does exist, and it is called Window Defender Credential Guard, Microsoft introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016. When Credential Guard is active, privileged system software is the only thing that can access user credentials. So, Credential Guard is a security feature that isolates users' login  information to prevent theft , so that only privileged system software can access them. .Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
Microsoft Windows Defender Credential Guard uses virtualization to store
credentials in protected containers separate from the OS. As a result, the
information Credential Guard protects is safe even if malware or some other
malicious attack penetrates an organization's network.
In Windows 10, the Local Security Authority (LSA) is responsible for validating users when they log on. When Credential Guard is active, Windows 10 stores credentials in an isolated LSA, which contains only the signed, certified and virtualization-based security trusted binaries it needs to keep the credentials safe. The isolated LSA communicates with the regular LSA through remote procedure calls and validates each binary before it launches a file inside the protected area.


Requirements and limitations

For Credential Guard to work, the device must support virtualization-based security and have secure boot functions. Virtualization-based security only works if the device has a 64-bit CPU, CPU virtualization extensions and extended page table, and a Windows hypervisor. The device must also include Trusted Platform Module (TPM) 2.0 and Unified Extensible Firmware Interface lock. 
Credential Guard can function on virtual machines in the same way it does on physical machines. To work on a VM, however, it must be a Generation 2 VM with a TPM enabled. In addition, the Microsoft Hyper-V host must run at least Windows Server 2016 and Windows 10 version 1607 and have an input-output memory management unit. 

Credentials protected by Credential Guard

When we get to System Informations, we can find information on whether Credential Guard
 is enabled. On the attached screen you can see that this function has been enabled. 



Visibility of the kerberos password

To show how the Credential Guard protects access to user data, I attached 
screenshots that depict two machines to my presentation. On the green we have an 
example with the Credential Guard on, on red with off. At the beginning you should 
run mimikatz as an administrator in debug mode, you see it through 
the privilege :: debug command. 

The next step is to enter the command: sekurlsa :: logonpasswords, which will output 
password information for all currently and recently logged on users and computers. 
After executing the command, we see the essential differences in the results when the 
security tool is turned on and when not . On the left side, we can see that the data is 
secured, on the right side you can see NTLM and SHA1 user hashes .

In the next picture you can see the difference between a fully exposed Kerberos 
password and an inaccessible password thanks to Credential Guard.

Comments

Applications that require certain authentication capabilities, including Kerberos Data Encryption Standard encryption support, Kerberos unconstrained delegation and NTLMv1, will break because Credential Guard does not allow them. Any applications using digest authentication, credential delegation and Microsoft Challenge Handshake Authentication Protocol version 2 will not be fully protected by Credential Guard.
Microsoft Windows Defender Credential Guard cannot support domain controller, Active Directory database or Security Accounts Manager credential protection. It also does not work with some third-party security tools because it will not share password hashes with third-party products. In addition, some user credentials will no longer work after a Windows 10 update.


Conclusion

Unprivilige software can’t access to your credentials , can’t do bad things with your system that confidential information system are still protected, this is pretty amazing, makes Windows 10 the most secure operating system that you could running today .
 
 





Comments

>makes Windows 10 the most secure operating system that you could running today .

Say that again, but slowly.
Ok, lets not engage in a discussion about how some Linux-based systems could be a fortress with no means of access at all, lets focus on Windows defender more. It is unnecessary overcautious. It blocks even some parts of windows soft, and what is worse, if I want to implement my own software, it will also end up blocked. And finally, the cherry on top -- lack of native access to managing all stuff. That said, no actual way of disabling it. It seems a "Turn off" button is there for purely decorative purpose.

In all this pursuit of making Windows more secure they succeeded in making a maze for users as hard as possible giving them the fewest options and freedom in fear of them breaking something. Foolish.
At this time we can't be sure that some system can be 100% secure because there so much functions and possibilities that it's so easy to make mistake that will allow to do undersigned movements especially when we talk about hacky way to get some type of information.

Information security will be topic number 1 for a long time in IT and I even don't sure that will be time when we will have a chance to forget about this dangerous thing and don't worry about that some who can stole our data.
Im on the other side of Win 10 bandwagon, i despise its built in telemetry functions.
I would not even call it "secure" to begin with.
While some of us care so little about our privacy, im highly concerned with state of Win 10.
Filip Sawicki said…
I’m also concerned about your naivety of win 10 security. Just like there is a million ways to make million dollars, there is a million ways to crack million devices. We should be aware that Windows system won’t make us immune to hackers, it’s also applications and common sense that play a huge role in our data security. Just one crack in any communication layer, encryption, application you’re using or just being dumb about password management and you are lost, Kerberos won’t help you. Of course it’s nice to hear that Microsoft is working hard on their security system, but what everybody should know is that nothing will truly defend you from targeted hacking.

Popular posts from this blog

Week 12 (12.01-18.01.15) Are you an early bird or a night owl ?

Owls are nocturnal creatures. They’re wide awake at night and they sleep during the day. If this sounds like bliss to you, then, like about 20 percent of the population who find themselves most active at around 9 pm, you may fall into the same category as our feathered friend. Night owls often have difficulty waking up in the morning, and like to be up late at night.  Studies of animal behaviour indicate that being a night owl may actually be built into some people’s genes. This would explain why those late-to-bed, late-to-rise people find it so difficult to change their behaviour. The trouble for night owls is that they just have to be at places such as work and school far too early. This is when the alarm clock becomes the night owl’s most important survival tool. Experts say that one way for a night owl to beat their dependence on their alarm clocks is to sleep with the curtains open. The Theory is that if they do so, the morning sunlight will awaken them gently and natura...

Week 11 [03-09.06.2019] The problem with ecological cars emission in UK

The problem with ecological cars emission in UK Since the adoption of the European Emission Allowance Directive in the European Parliament, all car makers have tried to submit. Since 1992, the Euro I standard has been in force, which limited the emission of carbon monoxide to the atmosphere. The Euro VI standard currently applies, which limits the series of exhaust gases. These include: hydrocarbons, nitrogen and carbon oxides, and dust.   The most significant change was brought by the Euro IV standard. For the first time it introduced the limitation of nitrogen oxides, which are responsible for the harmful compounds of smog.   What is smog?   Smog consists of sulfur oxides, nitrogen and carbon. In addition, solid substances such as suspended dust (PM). Dust suspend in atmospheric aerosols may be in liquid and solid form. These can be particles of sea salt, clouds from the Sahara and artificial compounds made by people. These compounds...

Week 4 [06-12.11.2017] This is what happens when you reply to spam email.

James Veitch is a British comedian. In today’s Ted Talk James with characteristic for himself a sense of humor shows how he deals with spam emails and why responding to junk messages may be sometimes dangerous. Questions: What do you think about James’s  way of dealing with spam? Why are junk messages legal, even though it sometimes may be a fraud? Dou you have a problem with spam? How do you deal with with it?