Demystify: Windows 10 Device Guard Windows Defender Credential Guard

Sharing is caring!

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
Credential Guard feature also leverages Virtual Secure Mode by placing an isolated version of the Local Security Authority (LSA – or LSASS) under protection.

Once this is done, you can easily check if Credential Guard (or many of the other features from this article) is enabled by launching MSINFO32.EXE and viewing the following information:


MSINFO32.EXE

Hardware and software requirements for Guard

To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:

  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred – provides binding to hardware)
  • UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)

The Virtualization-based security requires:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows hypervisor

Device Guard: Windows Defender

Device Guard is one of Windows security features that is a combination of enterprise-related hardware, firmware, and software security features. When configured together, it will lock down a device so that it can only run trusted applications.

Device Guard consists of three primary components:

  • Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.
  • VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.
  • Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows 10.

References: 
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.