This article is a part of a series. The previous article can be found here:
All the Guards – Part 4 (System Guard)
In this article I’m going to focus on the next component:
Microsoft Defender Credential Guard protects against credential theft attacks. It isolates secrets so that only privileged system software can access them.
Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.
Credential Guard isolates credentials using Virtualization Based Security (VBS).
Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process
For security reasons, the isolated LSA process doesn’t host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
Windows Defender Credential Guard Requirements
- Support for Virtualization-based security (required)
- Secure boot (required)
- Trusted Platform Module (TPM, preferred – provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
- UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)
You can enable Credential Guard using various methods which are detailed here:
Manage Windows Defender Credential Guard
To verify that Credential Guard is running:
run the System Info app on you Windows 10 device
and look for the:
Virtualization-based security Service Configured
and
Virtualization-based security Service Running
to make sure you see Credential Guard in both as shown above.
If you look at your Task Manager you should see a task called lsalso.exe as shown above, which is the protected version of lsass.exe that Credential Guard sets up.
You should also review as some features and passwords could be impacted by protecting credentials per:
Considerations when using Windows Defender Credential Guard
There are also a few readiness tools for Credential Guard I found that may be handy:
Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
Device Guard and Credential Guard hardware readiness tool
Once you have Virtualization Based Security (VBS) and Secure boot enable on your system, you can take advantage of Windows Defender Credential Guard to isolate credentials and protect them.
In Part 6 we’ll take a look at:
CIAOPS 
3 thoughts on “All the Guards–Part 5”