Merge pull request #455 from jotob-msft/justin-test

Justin test
2025-05-29 13:47:23 +00:00 · 2017-03-21 16:22:02 -07:00 · 2017-03-21 16:22:02 -07:00 · fc8480ab4e
commit fc8480ab4e
parent c64ec2ef55 bf7e8759cf
10 changed files with 80 additions and 66 deletions
--- a/images/mva_videos.png
+++ b/images/mva_videos.png
--- a/windows/keep-secure/credential-guard-considerations.md
+++ b/windows/keep-secure/credential-guard-considerations.md
@ -15,6 +15,14 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 Prefer video? See: 
 [![Credentials Protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 See also:
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
 -   If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
 -   You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
    -   **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
@ -44,5 +52,3 @@ When you enable Credential Guard, you can no longer use NTLM v1 authentication.
 ## Kerberos Considerations
 When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
 For further information, see: [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
--- a/windows/keep-secure/credential-guard-how-it-works.md
+++ b/windows/keep-secure/credential-guard-how-it-works.md
@ -15,6 +15,19 @@ author: brianlic-msft
 - Windows 10  
 - Windows Server 2016  
 Prefer video? See:
 [![Protecting against credential theft](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474)
 See also:
 [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
 [Credential Guard design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
@ -25,7 +38,4 @@ When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-![Credential Guard overview](images/credguard.png)
+![Credential Guard overview](images/credguard.png)
 <br>For further information, see [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) 
--- a/windows/keep-secure/credential-guard-manage.md
+++ b/windows/keep-secure/credential-guard-manage.md
@ -15,6 +15,11 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 Prefer video?
 [![Deploying Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
 ## Enable Credential Guard
 Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
@ -85,7 +90,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
 > [!NOTE]  
-> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
 <span id="hardware-readiness-tool" />
 ### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
@ -110,7 +115,24 @@ Requirements for running Credential Guard in Hyper-V virtual machines
 - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
 - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. 
-For further information, see: [Deploying Credential Guard] (https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+
 ### Check that Credential Guard is running
 You can use System Information to ensure that Credential Guard is running on a PC.
 1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
 2.  Click **System Summary**.
 3.  Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
    Here's an example:
    ![System Information](images/credguard-msinfo32.png)
 You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 ```
 DG_Readiness_Tool_v3.0.ps1 -Ready
 ```
 ### Remove Credential Guard
@ -168,21 +190,3 @@ You can also disable Credential Guard by using the [Device Guard and Credential
 DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
 ```
 ### Check that Credential Guard is running
 You can use System Information to ensure that Credential Guard is running on a PC.
 1.  Click **Start**, type **msinfo32.exe**, and then click **System Information**.
 2.  Click **System Summary**.
 3.  Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
    Here's an example:
    ![System Information](images/credguard-msinfo32.png)
 You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 ```
 DG_Readiness_Tool_v3.0.ps1 -Ready
 ```
 For further information, see: [Deploying Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
--- a/windows/keep-secure/credential-guard-not-protected-scenarios.md
+++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md
@ -15,6 +15,15 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 Prefer video? 
 [![Credentials not protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 See also: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
 Some ways to store credentials are not protected by Credential Guard, including:
 -   Software that manages credentials outside of Windows feature protection
@ -28,11 +37,11 @@ Some ways to store credentials are not protected by Credential Guard, including:
    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
-For further information, see: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+For further information, see video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 ## Additional mitigations
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust.
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
 ### Restricting domain users to specific domain-joined devices
@ -50,10 +59,10 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 #### Protecting domain-joined device secrets
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
 Domain-joined device certificate authentication has the following requirements:
-   Devices' accounts are in Windows Server 2012 domain functional level or higher domains.
+-   Devices' accounts are in Windows Server 2012 domain functional level or higher.
 -   All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
    -   KDC EKU present
    -   DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
@ -131,7 +140,7 @@ Authentication policies have the following requirements:
 2.  Click **Authentication**, click **New**, and then click **Authentication Policy**.
 3.  In the **Display name** box, enter a name for this authentication policy.
 4.  Under the **Accounts** heading, click **Add**.
-5.  In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**.
+5.  In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
 6.  Under the **User Sign On** heading, click the **Edit** button.
 7. Click **Add a condition**.
 8. In the **Edit Access Control Conditions** box, ensure that it reads **User** &gt; **Group** &gt; **Member of each** &gt; **Value**, and then click **Add items**.
@ -148,5 +157,3 @@ Authentication policies have the following requirements:
 To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
 To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
 For further information, see: [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
--- a/windows/keep-secure/credential-guard-requirements.md
+++ b/windows/keep-secure/credential-guard-requirements.md
@ -15,7 +15,16 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so application that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, see the tables in the [Security Considerations](#security-considerations) section.
+Prefer video?
 [![Credential Guard Deployment Requirements](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
 For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -34,7 +43,7 @@ The Virtualization-based security requires:
 ## Application requirements
-When Credential Guard is enabled, specific authentication capabilities are blocked, so application that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
+When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
 >[!WARNING] 
 > Enabling Credential Guard on domain controllers is not supported. <br>
@ -56,6 +65,9 @@ Applications will prompt and expose credentials to risk if they require:
 Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. 
 See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 ## Security considerations
 All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. 
--- a/windows/keep-secure/credential-guard-scripts.md
+++ b/windows/keep-secure/credential-guard-scripts.md
@ -11,7 +11,7 @@ author: brianlic-msft
 # Credential Guard Scripts
-Here is a list of scripts that are mentioned in this topic.
+Here is a list of scripts mentioned in this topic.
 ## <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -1,6 +1,7 @@
 ---
 title: Protect derived domain credentials with Credential Guard (Windows 10)
 description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
 ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@ -15,41 +16,15 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
-Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
+Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
 By enabling Credential Guard, the following features and solutions are provided:
 -   **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. 
+-   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
 ## Topics in this guide
 [How Credential Guard works](credential-guard-how-it-works.md)
 [Credential Guard Requirements](credential-guard-requirements.md)
 [Manage Credential Guard](credential-guard-manage.md)
 [Considerations when using Credential Guard](credential-guard-considerations.md)
 [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
 [Known issues](credential-manager-known-issues.md)
 [Credential Guard Scripts](credential-guard-scripts.md)
 <br>For further information, see:
 [How to prevent credential theft](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=CAgzpKJyC_304300474)
 [Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
 [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 ## Related topics
 - [Isolated User Mode in Windows 10 with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-in-Windows-10-with-Dave-Probert)
--- a/windows/keep-secure/credential-manager-known-issues.md
+++ b/windows/keep-secure/credential-manager-known-issues.md
@ -1,6 +1,6 @@
 ---
 title: Known issues with Credential Manager (Windows 10)
-description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
+description: Credential Manager - Known issues in Windows 10 Enterprise
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
--- a/windows/keep-secure/images/mva_videos.png
+++ b/windows/keep-secure/images/mva_videos.png