Determine Requirements for Implementing Credential Guard in Windows Server 2016

Credential Guard is a new feature available in Windows 10 and Windows Server 2016 that uses virtualization based security to store NTLM and Kerberos secrets in an isolated process.

Without Credential Guard, these secrets are stored in the memory of user accessible processes, making them available to tools such as mimikatz with administrative privileges.

Credential Guard helps protect against this, we’ll be discussing the requirements for setting up Credential Guard here.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


About Credential Guard

With Credential Guard configured, the Hyper-V hypervisor allows the secrets to be stored in an isolated LSA process which is not accessible to other parts of the operating system. This idea is similar to the way a virtual machine can’t (or at least shouldn’t be able to) directly access the memory of another virtual machine running on the same host.

This isolates the secrets so that only privileged system software can access them. Unauthorized attacks like pass the hash or pass the ticket are prevented by protecting the NTLM hashes, Kerberos ticket granting tickets (TGT), and other credentials in this separate area.

Even malware running with administrative privileges will not be able to access the secrets protected by this virtualized solution. Instead there would have to be some sort of vulnerability in the way the system accesses the isolated virtualized process, or hypervisor escape vulnerability, which while possible is in theory more difficult to pull off successfully in comparison to not using Credential Guard at all.

Requirements for Credential Guard

In order to use Credential Guard, we must first determine the requirements for implementing it.

Hardware and Software Requirements

  • A 64-bit CPU and operating system is required. Additionally, this new feature is currently only supported by Windows 10 Enterprise and Education editions, as well as Windows Server 2016.
  • In addition to being 64-bit, the CPU must have support for virtualization extensions so that Windows Credential Guard can virtualize the process. For Intel based CPUs this is VT-x, and for AMD based CPUs this is AMD-V. The CPU also needs extended page tables, this known as second level address translation (SLAT).
  • UEFI version 2.3.1 Errata C or above is needed, as Credential Guard relies on secure boot to help ensure that the device only boots authorized code. The UEFI firmware should also support secure firmware updates, so that any vulnerabilities identified at this level can be patched.
  • TPM version 1.2 or 2.0 is needed to store the encryption keys for Credential Guard securely, as this helps defend against attacks where a user has physical access to the system.

Application Requirements

In addition to the above hardware and software requirements, there are also some specific application requirements. These are equally important to consider, as Credential Guard will block certain authentication functions which may cause problems for various applications used within your environment. It’s therefore suggested that you perform adequate testing of any applications that rely on authentication to function before rolling this change out.

Any application that needs NTLM v1, Kerberos DES encryption support, unconstrained Kerberos delegation, or the ability to extract the Kerberos TGT will stop working after Credential Guard has been enabled. Additionally if the application uses MS-CHAP v2, credential delegation, or digest authentication, the application will prompt for credentials, potentially exposing them to risk of capture.

At the time of writing, Credential Guard is not supported on Active Directory domain controllers. If you have administrative privileges on a domain controller you would be able to simply read the information from disk, so there’s not that much point also protecting the LSA process.

Summary

By determining the requirements for implementing Credential Guard in Windows Server 2016, you’ll know if your system can be configured to use it. I’ll cover how to configure Credential Guard in a future post.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>