Windows Server 2016 and Windows 10 both include Credential Guard, a virtualization-assisted security solution that helps to protect sensitive Active Directory credentials from compromise. In this article, I’ll explain how Credential Guard works.
It’s all about Pass-the-Hash
Pass-the-hash (PtH) attacks are commonly used to break into systems without ever needing to know a user’s password. PtH involves capturing NT LAN Manager (NTLM) password hashes from the local computer’s Security Account Manager (SAM) database or Active Directory or from users who are logged in interactively to a device and then using them to authenticate without a password. While AD uses Kerberos by default and passes encrypted authentication tickets instead of password hashes, when users log in to devices, their NTLM password hash is stored in memory because Windows must support more than just Kerberos. Additionally, while Kerberos is superior to NTLM, with administrative or system access to a device, an attacker can grab both NTLM hashes and Kerberos Ticket-Granting Tickets (TGTs).
Following privileged account management best practices, such as not using the same local administrator username and password on every device and removing administrative privileges from users, can limit the impact and breadth of attacks. For more detailed information about protecting against PtH attacks, see Defending Against Pass-the-Hash Attacks on Microsoft’s website.
Virtual Secure Mode
To help isolate and harden key system and user secrets, Windows 10 Enterprise Edition and Windows Server 2016 include a new feature called Virtual Secure Mode (VSM). VSM uses the virtualization capabilities of modern CPUs to isolate user secrets from the operating system. VSM marks processes, and the memory they use, as belonging to a separate OS that runs inside a hypervisor. This protected mode operates much like on virtual machines (VMs) running in Hyper-V, where neither VM can directly access the other.
If Credential Guard is enabled, a version of the Local Security Authority (LSA) is moved to Virtual Secure Mode, so security-sensitive tasks, such as storage and management of user and system credentials, are performed in a virtualized container that’s isolated from Windows. Components called Trustlets run in VSM and allow Windows to communicate with isolated processes.
The legacy LSA process still runs in Windows and acts as a proxy so that applications don’t need to be modified to work with Credential Guard. It’s worth noting that Credential Guard, just like any other security technology, isn’t a panacea but does make it more difficult to get access to data protected by VSM.
Before you can use Credential Guard, there are several requirements that need to be met:
- UEFI running in Native Mode
- Windows 64-bit
- Second Layer Address Translation (SLAT) and Virtualization Extensions (Intel VT or AMD V)
- Trusted Platform Module (TPM) recommended
In another article Russel Smith tells how to add sensitive user accounts to the Active Directory protected users group.