From 1bbb3a8bfffc1d121fa84980b639d23bf9a3ecef Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 11 Apr 2016 09:23:47 -0700 Subject: [PATCH] Bug 7168338 --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3d8a02bb7d..611a173709 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -35,7 +35,7 @@ Credential Guard isolates secrets that previous versions of Windows stored in th For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -Credential Guard also does not allow older variants of NTLM and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES. +Credential Guard also does not allow older variants of NTLM, unconstrained Kerberos delegation, and Kerberos authentication protocols and cipher suites when using default derived credentials, including NTLMv1, MS-CHAPv2, and weaker Kerberos encryption types, such as DES. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: