Posted in Endpoint Administrator, Microsoft 365 Administrator, MS 365 Enterprise Administrator, MS 365 Modern Desktop Administrator, MS 365 Security Administrator, MS Cyber Security Architect Expert

Windows Defender Credential Guard

   October 10, 2023

Windows Defender Credential Guard is a security feature available in Windows 10 and Windows Server 2016 and later versions. It is designed to protect sensitive credential information, such as NTLM password hashes and Kerberos tickets, from theft and unauthorized access. Credential Guard isolates this information from the rest of the operating system, making it more difficult for attackers to steal and abuse credentials.

Concept: Credential Guard uses virtualization-based security to isolate and protect credential information in a secure container, often referred to as a “virtual secure mode.” This secure container runs in a separate virtualized environment, ensuring that even if an attacker compromises the operating system, they cannot access the credential data. This technology is a fundamental component of Microsoft’s defense-in-depth strategy to enhance system security.

Prerequisites: To use Windows Defender Credential Guard, you need:

  1. Windows 10 Enterprise or Education edition, or Windows Server 2016/2019.
  2. A computer with UEFI firmware and TPM 2.0.
  3. A processor that supports virtualization-based security.

Usage and Working Examples: Credential Guard protects sensitive credentials by storing them securely and using virtualization-based security. Here’s a working example:

  1. Prevention of Credential Theft:
    • Usage Example: Suppose an attacker gains access to your Windows computer through a malware infection or other means. In a typical system, the attacker could steal credential information and perform lateral movement across the network. With Credential Guard enabled, the sensitive credential information is isolated and protected. Even if the attacker compromises the operating system, they cannot access these credentials.
  2. Protection Against Pass-the-Hash Attacks:
    • Usage Example: Pass-the-hash attacks involve stealing hashed credentials and using them to access other systems. With Credential Guard enabled, the hashes are not accessible, making these attacks much more challenging for attackers.

Configuration and Management Steps: To configure and manage Windows Defender Credential Guard, follow these steps:

  1. Check Hardware Compatibility:
    • Ensure your hardware meets the prerequisites, including UEFI firmware with Secure Boot and TPM 2.0.
  2. Enable Virtualization-Based Security:
    • Access the BIOS/UEFI settings on your computer.
    • Enable virtualization-based security (if not already enabled) and Secure Boot.
  3. Enable Credential Guard via Group Policy:
    • Open the Local Group Policy Editor (gpedit.msc) or configure a domain-based Group Policy Object (GPO).
    • Navigate to “Computer Configuration” > “Administrative Templates” > “System” > “Device Guard” > “Turn on Virtualization-Based Security.”
    • Set this policy to “Enabled.”
  4. Verify Credential Guard Status:
    • You can verify whether Credential Guard is enabled by using the “System Information” tool (msinfo32.exe) or running the command systeminfo | findstr /B /C:"Virtualization-Based Security Enabled".

By following these steps, you can enable Credential Guard and enhance the security of credential information on your Windows devices.

Windows Defender Credential Guard is a valuable security feature for protecting against credential theft and related attacks. It isolates sensitive credentials, making it significantly more challenging for attackers to compromise your system’s security.

Share: TwitterFacebookPinterestLinkedin
Author: tonyhughes