deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into v-jak-sec01

Browse Source
This commit is contained in:
JanKeller1
2017-02-03 10:38:01 -08:00
parent 5038cfdcd0 46db4da862
commit ecb9815081
6 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
windows/keep-secure/credential-guard.md
View File

@ -1,4 +1,4 @@
[s,,---
---
title: Protect derived domain credentials with Credential Guard (Windows 10)
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
@ -9,6 +9,7 @@ ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
# Protect derived domain credentials with Credential Guard
**Applies to**
@ -19,9 +20,9 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u
By enabling Credential Guard, the following features and solutions are provided:
**Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
,- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
## How it works
@ -60,7 +61,7 @@ The Virtualization-based security requires:
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
>[!WARNING]
> Enabling Credential Guard on domain controllers is not supported <br>
> Enabling Credential Guard on domain controllers is not supported. <br>
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
>[!NOTE]

4
windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
View File

@ -124,8 +124,6 @@ To sign the existing catalog file, copy each of the following commands into an e
After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps.
<!-- All options below need to be confirmed. -->
1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
@ -134,7 +132,7 @@ After the catalog file is signed, add the signing certificate to a code integrit
> **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for *<policypath>* and *<certpath>*:
3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `