Credential Guard
Security is an ever
increasingly important part of our everyday lives. Traditional approaches such
as the use of credentials now only offer a limited amount of protection. Once
credentials are compromised, who knows what damage the bad guys can do.
Wouldn’t it be good if
there was a way of safeguarding your credentials baked into the actual
operating system (OS) of the computer you are using? Even better, what if the
OS itself could prevent anything untoward happening if it detects something is
not quite right?
Well,
such a system does exist, and it is called Window Defender Credential Guard, Microsoft introduced
Credential Guard in Windows 10 Enterprise and Windows Server 2016. When
Credential Guard is active, privileged system software is the only thing that
can access user credentials. So, Credential Guard is a security feature that
isolates users' login information to prevent theft , so
that only privileged system software can access them. .Unauthorized access to
these secrets can lead to credential theft attacks, such as Pass-the-Hash or
Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by
protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and
credentials stored by applications as domain credentials.
Microsoft Windows Defender Credential Guard uses
virtualization to store
credentials in protected containers separate from the
OS. As a result, the
information Credential Guard protects is safe even if
malware or some other
malicious attack penetrates an organization's network.
In Windows 10, the Local Security Authority (LSA) is
responsible for validating users when they log on. When Credential Guard is
active, Windows 10 stores credentials in an isolated LSA, which contains only
the signed, certified and virtualization-based security trusted binaries it
needs to keep the credentials safe. The isolated LSA communicates with the
regular LSA through remote procedure calls and validates each binary
before it launches a file inside the protected area.
Requirements and limitations
For Credential Guard to work, the device must support
virtualization-based security and have secure boot functions.
Virtualization-based security only works if the device has a 64-bit CPU, CPU
virtualization extensions and extended page table, and a
Windows hypervisor. The device must also include Trusted Platform
Module (TPM) 2.0 and Unified Extensible Firmware
Interface lock.
Credential Guard can function on virtual machines in the
same way it does on physical machines. To work on a VM, however, it must be a
Generation 2 VM with a TPM enabled. In addition, the Microsoft Hyper-V host
must run at least Windows Server 2016 and Windows 10 version 1607 and have an
input-output memory management unit.
Credentials protected by Credential Guard
When we get to System Informations, we can find information on whether Credential Guard
is enabled. On the attached screen you can see that this function has been enabled.
Visibility of the kerberos password
To show how the Credential Guard protects access to user data, I attached
screenshots that depict two machines to my presentation. On the green we have an
example with the Credential Guard on, on red with off. At the beginning you should
run mimikatz as an administrator in debug mode, you see it through
the privilege :: debug command.
The next step is to enter the command: sekurlsa :: logonpasswords, which will output
password information for all currently and recently logged on users and computers. After executing the command, we see the essential differences in the results when the
security tool is turned on and when not . On the left side, we can see that the data is
secured, on the right side you can see NTLM and SHA1 user hashes .
In the next picture you can see the difference between a fully exposed Kerberos
password and an inaccessible password thanks to Credential Guard.
Comments
Applications that require certain authentication
capabilities, including Kerberos Data Encryption Standard encryption
support, Kerberos unconstrained delegation and NTLMv1, will break because
Credential Guard does not allow them. Any applications using digest
authentication, credential delegation and Microsoft Challenge Handshake
Authentication Protocol version 2 will not be fully protected by Credential
Guard.
Microsoft Windows Defender Credential Guard cannot support
domain controller, Active Directory database or Security Accounts
Manager credential protection. It also does not work with some third-party
security tools because it will not share password hashes with third-party
products. In addition, some user credentials will no longer work after a
Windows 10 update.
Conclusion
Unprivilige software can’t access to your credentials ,
can’t do bad things with your system that confidential information system are
still protected, this is pretty amazing, makes Windows 10 the most secure
operating system that you could running today .
Comments
Say that again, but slowly.
Ok, lets not engage in a discussion about how some Linux-based systems could be a fortress with no means of access at all, lets focus on Windows defender more. It is unnecessary overcautious. It blocks even some parts of windows soft, and what is worse, if I want to implement my own software, it will also end up blocked. And finally, the cherry on top -- lack of native access to managing all stuff. That said, no actual way of disabling it. It seems a "Turn off" button is there for purely decorative purpose.
In all this pursuit of making Windows more secure they succeeded in making a maze for users as hard as possible giving them the fewest options and freedom in fear of them breaking something. Foolish.
Information security will be topic number 1 for a long time in IT and I even don't sure that will be time when we will have a chance to forget about this dangerous thing and don't worry about that some who can stole our data.
I would not even call it "secure" to begin with.
While some of us care so little about our privacy, im highly concerned with state of Win 10.