deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Credential Guard text and heading changes

Browse Source
This commit is contained in:
John Tobin
2017-03-30 14:11:08 -07:00
parent 21cbfd5191
commit ffc75cbeaf
6 changed files with 20 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
windows/keep-secure/credential-guard-considerations.md
View File

@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
in the Deep Dive into Credential Guard video series.
- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
@ -49,14 +50,6 @@ When you enable Credential Guard, you can no longer use Kerberos unconstrained d
## See also
Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
### Credentials Protected by Credential Guard
[![Credentials Protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
**Related videos in this series**
**Deep Dive into Credential Guard: Related videos**
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)

16
windows/keep-secure/credential-guard-how-it-works.md
View File

@ -16,7 +16,8 @@ author: brianlic-msft
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the Deep Dive into Credential Guard video series.
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
@ -34,15 +35,10 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
## See also
Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
**Deep Dive into Credential Guard: Related videos**
### Credential Guard Overview: Credential Theft and Lateral Traversal
[![Credential theft and lateral traversal](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
**Related videos in this series:**
[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)

9
windows/keep-secure/credential-guard-manage.md
View File

@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
in the Deep Dive into Credential Guard video series.
## Enable Credential Guard
Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
@ -186,12 +187,6 @@ You can also disable Credential Guard by using the [Device Guard and Credential
```
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
 
## See also
Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
<br>
### Deploying Credential Guard
[![Deploying Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)

13
windows/keep-secure/credential-guard-not-protected-scenarios.md
View File

@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Credential Guard video series.
Some ways to store credentials are not protected by Credential Guard, including:
@ -153,14 +154,6 @@ To learn more about authentication policy events, see [Authentication Policies a
## See also
Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
### Credentials protected by Credential Guard
[![Credentials protected by Credential Guard](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
**Related videos in this series:**
**Deep Dive into Credential Guard: Related videos**
[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

12
windows/keep-secure/credential-guard-requirements.md
View File

@ -15,7 +15,9 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See
[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Credential Guard video series.
For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -116,11 +118,3 @@ The following table lists qualifications for Windows 10, version 1703, which are
|---------------------------------------------|----------------------------------------------------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:<br>• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;- PE sections need to be page-aligned in memory (not required for in non-volatile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code<br><br>**Security benefits**:<br>• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.<br><br>**Security benefits**:<br>• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
## See also
Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
### Credential Guard Deployment Requirements
[![Credential Guard Deployment Requirements](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)

8
windows/keep-secure/credential-guard.md
View File

@ -16,7 +16,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Prefer video? See the **Deep Dive into Credential Guard** video series in the **See also** section of this article.
Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series.
Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
@ -42,8 +42,6 @@ By enabling Credential Guard, the following features and solutions are provided:
## See also
Prefer video? Microsoft has created a new **Deep Dive into Credential Guard** video series that explores the main features of Credential Guard and how it works.
**Deep Dive into Credential Guard: Related videos**
### Credential Guard: Credential Theft and Lateral Traversal
[![Credential theft and lateral traversal](images/mva_videos.png)](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)