Microsoft enhances Credential Guard in Windows 10 November update

Mark Coppock

Windows credentials are the keys to the kingdom on Windows machines, securing access to internal and external resources. Locking credentials down is therefore an important aspect of overall system security, and to that end Microsoft added new “Credential Guard” functionality to Windows 10 Enterprise. Now, with Windows 10 version 1511, Microsoft has beefed up Credential Guard with some new enhancements.
Basically, Credential Guard keeps information locked down via virtualization-based security, by limited access to privileged software. Here are the details. The details are something only the security-minded would love, but here are the basics:

• Hardware security Credential Guard increases the security of domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
• Virtualization-based security Windows services that manage domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
• Better protection against advanced persistent threats Securing domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
• Manageability You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.

The changes in Windows 10 version 1511 include:

• Credential Manager support. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
◦ Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
◦ Applications that extract domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved credentials.
◦ You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won’t be able to restore those credentials.
• Enable Credential Guard without UEFI lock. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
• CredSSP/TsPkg credential delegation. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.

So, there you go, security professionals, more ways to lock down your systems and keep the hackers and identity thieves at bay. We’ll keep out eyes open for more updates to Windows 10, and so check back often.