deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update credential-guard.md

Browse Source 
refined app stuff. typo in HW
This commit is contained in:
GITMichiko
2017-01-31 13:20:13 -08:00
committed by GitHub
parent 4eed7f3a31
commit 4d4784d6ae
1 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/keep-secure/credential-guard.md
View File

@ -52,15 +52,19 @@ To provide basic protection against OS level attempts to read Credential Manager
The Virtualization-based security requires: The Virtualization-based security requires:
- 64 bit CPU - 64 bit CPU
- CPU virtualization extensions plu extended page tables - CPU virtualization extensions plus extended page tables
- Windows hypervisor - Windows hypervisor
### Application requirements ### Application requirements
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
>[!WARNING] Enabling Credential Guard on Domain Controllers is not supported >[!WARNING]
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled. Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database. > Enabling Credential Guard on Domain Controllers is not supported <br>
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled causing crashes.
>[!NOTE]
> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require: Applications will break if they require:
- Kerberos DES encryption support - Kerberos DES encryption support
@ -73,6 +77,8 @@ Applications will prompt & expose credentials to risk if they require:
- Credential delegation - Credential delegation
- MS-CHAPv2 - MS-CHAPv2
Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
### Security considerations ### Security considerations
The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017.