SBN

How to use Credential Guard in Windows 10

Introduction

One of the proverbial gems in the crown of a successful attack is user credentials, and it is understandable why. Once an attacker has a compromised system’s credentials, most of the actions in furtherance of the attack can be performed without a high risk of detection. 

A major vulnerability of previous Windows systems has been solved with Windows Defender Credential Guard. This article will detail how to use Credential Guard in Windows 10, including what Credential Guard is, Credential Guard prerequisites, the problem that Credential Guard solves, what Credential Guard brings to the table, how to manage Credential Guard and further considerations. 

What is Credential Guard?

Windows Defender Credential Guard is a new security platform available in Windows 10. This new feature moves the information security field away from the days of questionable credential storage to the world of virtualization. 

The easiest thing about using the Credential Guard feature is that once it is properly enabled, the feature will start working. Management is straightforward and simple: a few clicks into Group Policy and you’ll be up and running.

Credential Guard prerequisites

  • Windows 10 Enterprise, Windows Server 2016, Windows Server 2019
  • UEFI without CSM enabled
  • 64-bit Windows
  • Secure Boot enabled
  • Processor with both virtualization extensions and Secondary Level Address Translation
  • TPM recommended (not required)
  • Hyper-V turned on in Windows Features

What problem does Credential Guard solve and how?

As mentioned above, there was an inherent problem with the way that credentials are stored on Windows systems before Windows 10 debuted Credential Guard (even some early Windows 10 versions). This is that Windows stores credentials in hash stores within the system’s Local Security Authority, or LSA, in memory. 

This is an attractive target for attackers, who can gain access to the operating system and then access the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Vls4FX6knBg/