deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

edits

Browse Source
This commit is contained in:
Brian Lich 2016-09-06 10:59:56 -07:00
parent e7c3ead8eb
commit d772eeaa14
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/keep-secure/credential-guard.md
View File

@ -339,7 +339,7 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 DFL or higher domains.
- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- KDC EKU present
- DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
@ -386,27 +386,30 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro
- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
From a Windows PowerShell command prompt, run the following command:
``` syntax
.\get-IssuancePolicy.ps1 LinkedToGroup:All
```
**To link a issuance policy to a universal security group**
- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
From a Windows PowerShell command prompt, run the following command:
``` syntax
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:<name of issuance policy>groupOU:”<Name of OU to create> groupName:”<name of Universal security group to create>
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:"<name of issuance policy>" groupOU:"<Name of OU to create>" groupName:”<name of Universal security group to create>"
```
#### Restricting user sign on
So we now have:
So we now have the following:
- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on
- Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring-
so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies.
Authentication policies have the following requirements:
- Users' accounts are in Windows Server 2012 R2 DFL or higher domains.
- User accounts are in a Windows Server 2012 domain functional level or higher domain.
**Creating an authentication policy restricting to the specific universal security group**