This article is a part of a series. The previous article can be found here:
In this article I’m going to focus on the next component:
Microsoft Defender Credential Guard protects against credential theft attacks. It isolates secrets so that only privileged system software can access them.
Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.
Credential Guard isolates credentials using Virtualization Based Security (VBS).
Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process
For security reasons, the isolated LSA process doesn’t host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
- Support for Virtualization-based security (required)
- Secure boot (required)
- Trusted Platform Module (TPM, preferred – provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
- UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)
You can enable Credential Guard using various methods which are detailed here:
To verify that Credential Guard is running:
run the System Info app on you Windows 10 device
and look for the:
Virtualization-based security Service Configured
Virtualization-based security Service Running
to make sure you see Credential Guard in both as shown above.
If you look at your Task Manager you should see a task called lsalso.exe as shown above, which is the protected version of lsass.exe that Credential Guard sets up.
You should also review as some features and passwords could be impacted by protecting credentials per:
There are also a few readiness tools for Credential Guard I found that may be handy:
In Part 6 we’ll take a look at: