deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Conversion of intro to table

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-06-20 14:32:07 -04:00
parent ee977cd5ee
commit b25b6e4984
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/identity-protection/credential-guard/how-it-works.md
View File

@ -7,13 +7,18 @@ ms.topic: concept-article
# How Credential Guard works
Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`. With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous versions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process `lsass.exe`.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment.
:::row:::
:::column span="2":::
With Credential Guard enabled, the LSA process in the operating system talks to a component called the *isolated LSA process* that stores and protects those secrets, `LSAIso.exe`. Data stored by the isolated LSA process is protected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard architecture.":::
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All the binaries are signed with a certificate that VBS trusts, and the signatures are validated before launching the file in the protected environment.
:::column-end:::
:::column span="2":::
:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard architecture." lightbox="images/credential-guard-architecture.png" border="false":::
:::column-end:::
:::row-end:::
## Credential Guard protection limits