mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 11:23:45 +00:00
Added topic descriptions
This commit is contained in:
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Considerations when using Credential Guard (Windows 10)
|
title: Considerations when using Credential Guard (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
|
||||||
ms.assetid:
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -35,13 +34,15 @@ author: brianlic-msft
|
|||||||
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
|
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
|
||||||
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
|
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
|
||||||
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
|
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
|
||||||
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. For further information, see:
|
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
|
||||||
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
|
|
||||||
|
|
||||||
## NTLM & CHAP Considerations
|
## NTLM and CHAP Considerations
|
||||||
|
|
||||||
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
|
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
|
||||||
|
|
||||||
## Kerberos Considerations
|
## Kerberos Considerations
|
||||||
|
|
||||||
When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
|
When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
|
||||||
|
|
||||||
|
For further information, see: [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
|
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: How Credential Guard works
|
title: How Credential Guard works
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
|
||||||
ms.assetid:
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -28,4 +27,5 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
|
|||||||
|
|
||||||

|

|
||||||
|
|
||||||
For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
|
|
||||||
|
<br>For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Manage Credential Guard (Windows 10)
|
title: Manage Credential Guard (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
|
||||||
ms.assetid:
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -34,7 +33,6 @@ You can use Group Policy to enable Credential Guard. This will add and enable th
|
|||||||
|
|
||||||
To enforce processing of the group policy, you can run ```gpupdate /force```.
|
To enforce processing of the group policy, you can run ```gpupdate /force```.
|
||||||
|
|
||||||
For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
|
|
||||||
|
|
||||||
### Enable Credential Guard by using the registry
|
### Enable Credential Guard by using the registry
|
||||||
|
|
||||||
@ -47,7 +45,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
|
|||||||
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
|
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
|
||||||
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
|
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
|
If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
|
||||||
|
|
||||||
|
|
||||||
**Add the virtualization-based security features by using Programs and Features**
|
**Add the virtualization-based security features by using Programs and Features**
|
||||||
@ -114,6 +112,7 @@ Requirements for running Credential Guard in Hyper-V virtual machines
|
|||||||
|
|
||||||
For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
|
For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
|
||||||
|
|
||||||
|
|
||||||
### Remove Credential Guard
|
### Remove Credential Guard
|
||||||
|
|
||||||
If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
|
If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
|
||||||
@ -185,4 +184,5 @@ You can also check that Credential Guard is running by using the [Device Guard a
|
|||||||
|
|
||||||
```
|
```
|
||||||
DG_Readiness_Tool_v3.0.ps1 -Ready
|
DG_Readiness_Tool_v3.0.ps1 -Ready
|
||||||
```
|
```
|
||||||
|
For further information, see: [Deploying Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
|
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Scenarios not protected by Credential Guard (Windows 10)
|
title: Scenarios not protected by Credential Guard (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Scenarios not protected by Credential Guard in Windows 10.
|
||||||
ms.assetid:
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -37,9 +36,9 @@ Credential Guard can provide mitigations against attacks on derived credentials
|
|||||||
|
|
||||||
### Restricting domain users to specific domain-joined devices
|
### Restricting domain users to specific domain-joined devices
|
||||||
|
|
||||||
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign in to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign in using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
|
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
|
||||||
|
|
||||||
### Kerberos armoring
|
#### Kerberos armoring
|
||||||
|
|
||||||
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
|
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
|
||||||
|
|
||||||
@ -49,9 +48,9 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
|
|||||||
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
|
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
|
||||||
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
|
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
|
||||||
|
|
||||||
### Protecting domain-joined device secrets
|
#### Protecting domain-joined device secrets
|
||||||
|
|
||||||
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign in as the user.
|
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
|
||||||
|
|
||||||
Domain-joined device certificate authentication has the following requirements:
|
Domain-joined device certificate authentication has the following requirements:
|
||||||
- Devices' accounts are in Windows Server 2012 domain functional level or higher domains.
|
- Devices' accounts are in Windows Server 2012 domain functional level or higher domains.
|
||||||
@ -93,7 +92,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> You must restart the device after enrolling the machine authentication certificate.
|
> You must restart the device after enrolling the machine authentication certificate.
|
||||||
|
|
||||||
### How a certificate issuance policy can be used for access control
|
#### How a certificate issuance policy can be used for access control
|
||||||
|
|
||||||
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
|
Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
|
||||||
|
|
||||||
@ -115,13 +114,13 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
|
|||||||
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
|
.\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"<name of issuance policy>" –groupOU:"<Name of OU to create>" –groupName:”<name of Universal security group to create>"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Restricting user sign on
|
#### Restricting user sign on
|
||||||
|
|
||||||
So we now have completed the following:
|
So we now have completed the following:
|
||||||
|
|
||||||
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign in
|
- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
|
||||||
- Mapped that policy to a universal security group or claim
|
- Mapped that policy to a universal security group or claim
|
||||||
- Provided a way for domain controllers to get the device authorization data during user sign in using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
|
- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
|
||||||
|
|
||||||
Authentication policies have the following requirements:
|
Authentication policies have the following requirements:
|
||||||
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
|
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
|
||||||
@ -144,7 +143,7 @@ Authentication policies have the following requirements:
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
|
> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
|
||||||
|
|
||||||
### Discovering authentication failures due to authentication policies
|
#### Discovering authentication failures due to authentication policies
|
||||||
|
|
||||||
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
|
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Credential Guard Requirements (Windows 10)
|
title: Credential Guard Requirements (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -15,9 +15,11 @@ author: brianlic-msft
|
|||||||
- Windows 10
|
- Windows 10
|
||||||
- Windows Server 2016
|
- Windows Server 2016
|
||||||
|
|
||||||
For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
|
For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so application that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, see the tables in the [Security Considerations](#security-considerations) section.
|
||||||
|
|
||||||
### Hardware and software requirements
|
|
||||||
|
|
||||||
|
## Hardware and software requirements
|
||||||
|
|
||||||
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
|
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
|
||||||
- Support for Virtualization-based security (required)
|
- Support for Virtualization-based security (required)
|
||||||
@ -26,13 +28,13 @@ To provide basic protection against OS level attempts to read Credential Manager
|
|||||||
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
|
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
|
||||||
|
|
||||||
The Virtualization-based security requires:
|
The Virtualization-based security requires:
|
||||||
- 64 bit CPU
|
- 64-bit CPU
|
||||||
- CPU virtualization extensions plus extended page tables
|
- CPU virtualization extensions plus extended page tables
|
||||||
- Windows hypervisor
|
- Windows hypervisor
|
||||||
|
|
||||||
### Application requirements
|
## Application requirements
|
||||||
|
|
||||||
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
|
When Credential Guard is enabled, specific authentication capabilities are blocked, so application that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
|
||||||
|
|
||||||
>[!WARNING]
|
>[!WARNING]
|
||||||
> Enabling Credential Guard on domain controllers is not supported. <br>
|
> Enabling Credential Guard on domain controllers is not supported. <br>
|
||||||
@ -47,14 +49,14 @@ Applications will break if they require:
|
|||||||
- Extracting the Kerberos TGT
|
- Extracting the Kerberos TGT
|
||||||
- NTLMv1
|
- NTLMv1
|
||||||
|
|
||||||
Applications will prompt & expose credentials to risk if they require:
|
Applications will prompt and expose credentials to risk if they require:
|
||||||
- Digest authentication
|
- Digest authentication
|
||||||
- Credential delegation
|
- Credential delegation
|
||||||
- MS-CHAPv2
|
- MS-CHAPv2
|
||||||
|
|
||||||
Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
|
Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
|
||||||
|
|
||||||
### Security considerations
|
## Security considerations
|
||||||
|
|
||||||
All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
|
All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
|
||||||
Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
|
Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
|
||||||
@ -64,7 +66,7 @@ The following tables describe baseline protections, plus protections for improve
|
|||||||
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. <br>
|
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. <br>
|
||||||
> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
|
> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
|
||||||
|
|
||||||
#### Baseline protections
|
### Baseline protections
|
||||||
|
|
||||||
|Baseline Protections | Description |
|
|Baseline Protections | Description |
|
||||||
|---------------------------------------------|----------------------------------------------------|
|
|---------------------------------------------|----------------------------------------------------|
|
||||||
@ -78,7 +80,7 @@ The following tables describe baseline protections, plus protections for improve
|
|||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
|
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
|
||||||
|
|
||||||
#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
|
### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
|
||||||
|
|
||||||
| Protections for Improved Security | Description |
|
| Protections for Improved Security | Description |
|
||||||
|---------------------------------------------|----------------------------------------------------|
|
|---------------------------------------------|----------------------------------------------------|
|
||||||
@ -88,7 +90,7 @@ The following tables describe baseline protections, plus protections for improve
|
|||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
|
### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
|
> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
|
||||||
@ -101,11 +103,11 @@ The following tables describe baseline protections, plus protections for improve
|
|||||||
|
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
#### 2017 Additional security qualifications starting with Windows 10, version 1703
|
### 2017 Additional security qualifications starting with Windows 10, version 1703
|
||||||
|
|
||||||
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
|
The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
|
||||||
|
|
||||||
| Protection for Improved Security | Description |
|
| Protection for Improved Security | Description |
|
||||||
|---------------------------------------------|----------------------------------------------------|
|
|---------------------------------------------|----------------------------------------------------|
|
||||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> - PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br> - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||||
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Credential Guard Scripts (Windows 10)
|
title: Credential Guard Scripts (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Credential Guard Scripts listed in this topic for Windows 10, for obtaining the available issuance policies on the certificate authority.
|
||||||
ms.assetid:
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
@ -21,13 +21,33 @@ By enabling Credential Guard, the following features and solutions are provided:
|
|||||||
|
|
||||||
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
|
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
|
||||||
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
|
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
|
||||||
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
|
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
|
||||||
|
|
||||||
• How to prevent credential theft
|
|
||||||
• Virtualization-based security
|
|
||||||
• Credential Guard Design
|
|
||||||
|
|
||||||
|
|
||||||
|
## Topics in this guide
|
||||||
|
|
||||||
|
[How Credential Guard works](credential-guard-how-it-works.md)
|
||||||
|
|
||||||
|
[Credential Guard Requirements](credential-guard-requirements.md)
|
||||||
|
|
||||||
|
[Manage Credential Guard](credential-guard-manage.md)
|
||||||
|
|
||||||
|
[Considerations when using Credential Guard](credential-guard-considerations.md)
|
||||||
|
|
||||||
|
[Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
|
||||||
|
|
||||||
|
[Known issues](credential-manager-known-issues.md)
|
||||||
|
|
||||||
|
[Credential Guard Scripts](credential-guard-scripts.md)
|
||||||
|
|
||||||
|
|
||||||
|
<br>For further information, see:
|
||||||
|
|
||||||
|
[How to prevent credential theft](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474)
|
||||||
|
|
||||||
|
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
|
||||||
|
|
||||||
|
[Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
|
||||||
|
|
||||||
## Related topics
|
## Related topics
|
||||||
|
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: Known issues with Credential Manager (Windows 10)
|
title: Known issues with Credential Manager (Windows 10)
|
||||||
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
|
||||||
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
|
|
||||||
ms.prod: w10
|
ms.prod: w10
|
||||||
ms.mktglfcycl: explore
|
ms.mktglfcycl: explore
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
Reference in New Issue
Block a user