This is the first in a series of blog posts where I will go deeper into the different Windows 10 security agents. The reason why I do this is because I have seen lots of customer with doubts whether to choose Windows 10 Professional or Windows 10 Enterprise. In my opinion, any company that takes security serious should be on Windows 10 Enterprise. It should be a no-brainer, Windows 10 Enterprise brings you immediate added value in terms of security. Credential Guard, the Security Guard that we will be looking at today, is super easy to configure and an absolute must have feature.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard helps prevent these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
Before going into Credential Guard, I want to talk about Virtual Secure Mode and Virtualization Based Security.
Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this “virtual secure mode” to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.
VBS uses the Windows hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.
To use VBS, you have to install the Hypervisor role on the system. Once you have your Hypervisor installed, you can enable VBS through the MDM Channel (this can also be done by GPO). The Hypervisor is the layer between the hardware and the operating system. Operating systems does not have direct access to the hardware. The Hypervisor basically abstracts the hardware (Memory, CPU, etc..) which will allow sharing of resources between the operating system and virtual machines. Virtualization based security security is based on the virtualization extension of the CPU, this requires your CPU to support VT-x or AMD-V. The basic requirements for Virtualization based security are:
- Hypervisor
- Hardware Virtualization Extensions
- Second Level Address Translation (SLAT)
- UEFI
- Secure Boot
- TPM is optional, but highly recommended.
Once you enable VBS on your computer, a new Virtual Secure Mode instance will be created. This VSM instance will run a minimalized kernel and trustlets. Trustlets, also known as trusted processes, are programs running as IUM processes in VSM. They complete system calls by marshalling them over to the Windows kernel running in VTL0 ring 0. VSM creates a small execution environment that includes the small Secure Kernel executing in VTL1 (isolated from the kernel and drivers running in VTL0). The clear security benefit is isolation of trustlet user mode pages in VTL1 from drivers running in the VTL0 kernel. Even if kernel mode of VTL0 is compromised by malware, it will not have access to the IUM process pages. The VSM Instance is segregated from the operating system. The main reason behind the segregation is that code running on the host operating system cannot access directly the memory used by the VSM Instance.
In the current version of Windows 10 and Windows Server 2016 there are 3 trustlets which can reside in the instance:
- Local Security Authority (LSA)
- Kernel Mode Code Integrity (KMCI) + User Mode Code Integrity (UMCI)
- Hypervisor Code Integrity (HVCI)
When these trustlets are running in your VSM Instance, the Operating System could interact with them only through standard channels. (Standard API’s, Standard Interfaces, Standard RPC calls). When you think about the credential theft attack, it is simple, having debug privileges, malware would be able to directly read the data of the memory used by the LSASS process. When we run LSASS as a trustlet in the VSM Instance, this will not be possible, malware simply cannot directly read the memory of the LSASS trustlet in the VSM Instance. This is controllered / denied by the CPU.
We now understand the basic concept of Virtualization based security and are ready to take a closer look at Credential Guard. Credential Guard is designed to protect our systems against credential theft attacks which are stealing credentials from the lsass.exe memory. Mimikatz is a tool that is commonly used to do this kind of attacks, at the end of this blog post, you will see Mimikatz in action. By default an attacker can read LSA protected secrets. By enabling Credential Guard, we are going to move the lsass.exe process to our Virtual Secure Mode Instance. This will run the Isass.exe process as a trustlet in the VSM Instance. you will see a new process Isassiso.exe.
To Check whether or not your hardware is ready, you can use the Device Guard and Credential Guard hardware readiness tool. This tool can be downloaded from: https://www.microsoft.com/en-us/download/details.aspx?id=53337. Check out the video below to see it in action.
To enable Credential Guard on our devices via Intune, we are going to use a Device Configuration Profile and Assign it to a dynamic aad security group or target all your devices. See the below instruction movie about how you can easily create that Device Configuration Profile. I am using the new URL: https://endpoint.microsoft.com
If you are currently not yet using Modern Device Management, to enable Credential Guard on our devices we will use GPO. Open the Group Policy Manager and create a new Group Policy Object. See the below instruction movie about how we need to configure it.
You might have noticed in both the video that I’m enabling Credential Guard without UEFI lock. The option you choose will be according to your security policy. In my case I want to make sure that for testing or troubleshooting purposes, I can remotely disable Credential Guard via GPO. If I enable Credential Guard with UEFI lock, I won’t be able to remotely disable Credential Guard. The policy need to be assigned to Computer Objects, I created a AD Security Group and added my targeted devices.
Now lets see how easy it is to do a credential theft attack on a device. In this video, you will notice that on the machine without Credential Guard, it takes only a few seconds to read the lsass.exe memory. As a result all our accounts passwords will be visible in clear text. This also includes computer passwords, high privileged accounts that are currently logged on to the machine, etc…. It’s insane, how fast that information is available. See it yourself 😉
I hope you have now a better understanding about Credential Guard and the direct value it can bring to your organisation.
Cheers!
Ken