All the Guards–Part 5

This article is a part of a series. The previous article can be found here:

All the Guards – Part 4 (System Guard)

In this article I’m going to focus on the next component:

Credential Guard

Microsoft Defender Credential Guard protects against credential theft attacks. It isolates secrets so that only privileged system software can access them.

Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.

Credential Guard isolates credentials using Virtualization Based Security (VBS).

Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process

For security reasons, the isolated LSA process doesn’t host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.

Windows Defender Credential Guard overview

Windows Defender Credential Guard Requirements

You can enable Credential Guard using various methods which are detailed here:

Manage Windows Defender Credential Guard

To verify that Credential Guard is running:

image

run the System Info app on you Windows 10 device

image

and look for the:

Virtualization-based security Service Configured

and

Virtualization-based security Service Running

to make sure you see Credential Guard in both as shown above.

If you look at your Task Manager you should see a task called lsalso.exe as shown above, which is the protected version of lsass.exe that Credential Guard sets up.

You should also review as some features and passwords could be impacted by protecting credentials per:

Considerations when using Windows Defender Credential Guard

There are also a few readiness tools for Credential Guard I found that may be handy:

Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool

Device Guard and Credential Guard hardware readiness tool

Once you have Virtualization Based Security (VBS) and Secure boot enable on your system, you can take advantage of Windows Defender Credential Guard to isolate credentials and protect them.

In Part 6 we’ll take a look at:

Application Guard

3 thoughts on “All the Guards–Part 5

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s