From fc8bc9effc758fc93825b1614f46a7ce6fb41dcb Mon Sep 17 00:00:00 2001 From: "Jeff Reeds (Aquent LLC)" Date: Thu, 14 May 2020 14:12:57 -0700 Subject: [PATCH] Update additional-mitigations.md --- .../credential-guard/additional-mitigations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 03924d7205..5a88c7b645 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -18,7 +18,7 @@ ms.reviewer: # Additional mitigations -Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Hypervisor-Protected Code Integrity, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. +Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust. ## Restricting domain users to specific domain-joined devices