Windows Defender Credential Guard

Windows Defender Credential Guard is a security feature in Windows 10 and Windows Server that helps protect sensitive credential information, such as NTLM hashes and Kerberos tickets, from being stolen by malicious software or attackers. Credential Guard works by isolating and securing secrets in a protected virtualized environment, using hardware-based security features available in modern CPUs.

Key Features of Windows Defender Credential Guard:

1. Protection of Credentials:

   • Credential Guard isolates and protects credentials such as NTLM hashes, Kerberos tickets, and LSA (Local Security Authority) secrets from being exposed to attackers who gain access to the operating system's memory (for example, through tools like Mimikatz).
   • By using hardware virtualization (Intel VT-x and AMD-V) and Hyper-V technologies, Credential Guard creates a secure container that isolates these sensitive data from the rest of the system.

2. Virtualized-Based Security (VBS):

   • Windows Defender Credential Guard uses Virtualized-Based Security (VBS) to create a secure environment where secrets are stored in memory. VBS leverages the CPU’s hardware virtualization features (e.g., Intel VT-x or AMD-V) to create a hypervisor-enforced, isolated area of memory. This area is separate from the rest of the operating system, and only trusted, privileged processes can access the credentials within.
   • In this isolated environment, sensitive data is not visible to attackers, even if they manage to compromise the system.

3. Protection from Credential Dumping Tools:

   • Credential Guard specifically defends against credential dumping attacks (such as Mimikatz) and Pass-the-Hash attacks. Even if an attacker gains administrative access to the system, they cannot easily dump credentials from memory because the protected secrets are isolated.

4. How It Works:

   • When enabled, Credential Guard uses Hyper-V (the Windows hypervisor) to create a secure, virtualized environment for the Local Security Authority Subsystem Service (LSASS) process.
   • In a normal system, LSASS stores credentials in memory, making it a prime target for attackers. Credential Guard isolates LSASS in a virtual machine (VM) to ensure that the credentials stored in memory are not directly accessible from the Windows operating system.

5. Credential Guard vs. Traditional Security:

   • Traditional security mechanisms like BitLocker or Windows Defender Antivirus protect data on disk or prevent malware from running. However, they do not protect sensitive credentials stored in system memory while the OS is running.
   • Windows Defender Credential Guard addresses this gap by preventing unauthorized access to credentials while they are in use in memory, making it much harder for attackers to capture NTLM hashes or Kerberos tickets even if they have gained administrative privileges.

What Credential Guard Protects:

1. NTLM Hashes: The hashes used for Pass-the-Hash attacks are protected. Attackers can no longer extract them from the memory of compromised systems.
2. Kerberos Tickets: TGT (Ticket Granting Tickets) and TGS (Ticket Granting Service) tickets are protected from being stolen or used for Pass-the-Ticket attacks.
3. LSA Secrets: Other sensitive information stored by the Local Security Authority (LSA), like service account credentials, are protected from memory scraping.

Requirements for Windows Defender Credential Guard:

1. Windows Edition:

   • Credential Guard is available in Windows 10 Enterprise and Windows Server 2016 and later editions.

2. Hardware Requirements:

   • 64-bit Windows is required.
   • Hardware Virtualization support (e.g., Intel VT-x or AMD-V).
   • Trusted Platform Module (TPM) version 2.0 is recommended but not strictly required.

3. Hyper-V Enabled:

   • Hyper-V must be enabled on the system, as it is the foundation of the virtualized security container used by Credential Guard.

4. Group Policy or Registry Changes:

   • To enable Credential Guard, you can either configure it using Group Policy or modify the Windows registry.

How to Enable Windows Defender Credential Guard:

Credential Guard can be enabled on a system using the Group Policy Editor or the Registry Editor. The recommended method is through Group Policy.

Method 1: Enabling via Group Policy (For Enterprise/Server Editions)

1. Open Group Policy Management on the computer where you want to enable Credential Guard.
2. Navigate to the following policy path:
   • Computer Configuration > Administrative Templates > System > Device Guard
3. Enable Credential Guard:
   • Find the policy named "Turn On Virtualization Based Security" and set it to Enabled.
   • Under the "Virtualization Based Security" settings, set Credential Guard to Enabled with UEFI Lock. This will prevent it from being disabled unless the system is reset to its factory settings.
4. Reboot the Computer:
   • After enabling Credential Guard through Group Policy, restart the machine to apply the settings.

Method 2: Enabling via Windows Registry (Advanced Method)

1. Open the Registry Editor (regedit) and navigate to:

   • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard

2. Create or modify the following registry keys:

   • EnableVirtualizationBasedSecurity: Set it to 1.
   • RequirePlatformSecurityFeatures: Set it to 1.
   • LsaCfgFlags: Set it to 1.

3. Restart the computer.

Method 3: Enabling via PowerShell (For Automation)

For administrators managing multiple systems, PowerShell can be used to automate the enabling of Credential Guard.

# Check if the system meets the requirements for Credential Guard
Get-WindowsFeature -Name Hyper-V, Windows-Defender-Credential-Guard

# Enable Hyper-V if not already enabled
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -All -NoRestart

# Enable Credential Guard
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name EnableVirtualizationBasedSecurity -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name RequirePlatformSecurityFeatures -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name LsaCfgFlags -Value 1

Verifying Credential Guard is Running:

To check if Credential Guard is enabled and working properly, you can use the System Information tool:

1. Press Win + R and type msinfo32.
2. In the System Summary, look for the "Device Guard" entry. If Credential Guard is enabled, the status will be listed as "Running".

Alternatively, you can use the PowerShell command Get-WmiObject -Class Win32_ComputerSystem and check if Credential Guard is listed as enabled.

Benefits of Windows Defender Credential Guard:

1. Prevents Credential Dumping: It stops attackers from using credential dumping tools like Mimikatz to extract sensitive credentials (NTLM hashes, Kerberos tickets).
2. Limits Lateral Movement: Even if attackers compromise a machine, they cannot easily move laterally using stolen credentials.
3. Protects Domain Administrator Credentials: By protecting sensitive credentials such as those used by Domain Admins or KRBTGT accounts, Credential Guard helps mitigate Golden Ticket and Silver Ticket attacks.
4. Increased Resistance to Attacks: Protects against common attack techniques like Pass-the-Hash and Pass-the-Ticket, which rely on stealing credentials stored in memory.

Potential Limitations and Considerations:

1. Performance Impact: Enabling Credential Guard can slightly impact the system's performance, especially on systems with limited resources or older hardware.
2. Compatibility Issues: Certain legacy applications or third-party software may not be compatible with Credential Guard. Ensure that the applications running on your systems can work with Credential Guard enabled.
3. Administrative Access: Enabling Credential Guard requires administrative access to the system, and it should only be enabled on devices that are fully trusted and properly configured.