Microsoft Windows Credential Guard is a security feature designed to protect user credentials from common credential theft attacks. It was introduced in Windows 10 Enterprise and Windows Server 2016 and is now enabled by default on all systems running on Windows 11, version 22H2 and later.
The primary purpose of Credential Guard is to isolate and protect credentials such as login information, NT LAN Manager (NTLM) password hashes, Kerberos Ticket Granting Tickets (TGTs), and domain credentials from the rest of the operating system. By doing so, it prevents credential theft attacks like pass the hash and pass the ticket.
Credential Guard uses hardware-backed, virtualization-based security (VBS) and a Local Security Authority (LSA) to store credentials in protected containers. These containers are separate environments that are inaccessible to the rest of the operating system. The LSA communicates with the isolated LSA process to securely store and protect credentials, ensuring that they remain safe even if malware or other malicious attacks penetrate the network.
There are several benefits to using Credential Guard. It provides robust hardware security through features like Secure Boot and virtualization, ensuring that privileged system software can only access protected credentials. Credential Guard also helps block targeted attacks and protects organizations from sophisticated techniques and tools.
However, it’s important to note that Credential Guard has limitations. It cannot protect credentials stored and managed by software outside of Windows feature protection, nor can it protect credentials stored by local accounts, Microsoft accounts, keyloggers, and third-party security packages. Credential Guard also cannot prevent credential theft by physical attacks or protect the Active Directory (AD) database running on Windows Server domain controllers. In virtual machines (VMs), Credential Guard cannot protect against privileged system attacks originating from the host.
To use Credential Guard, the system must be running a Windows edition that supports the necessary features, such as Windows Enterprise and Windows Education. It also requires support for VBS and secure boot functions. Additionally, enabling Credential Guard should be done before a device is joined to a domain to ensure the protection of secrets. Microsoft recommends using Trusted Platform Module (TPM) and UEFI lock to enhance the security of Credential Guard.
It is important for organizations to understand their authentication requirements and ensure that enabling Credential Guard does not disrupt essential authentication capabilities. Implementing a multi-layered security architecture that includes strong authentication methods is also crucial to defend against persistent threat attacks and new attack techniques.
In conclusion, Microsoft Windows Credential Guard provides a valuable layer of security to protect user credentials from common credential theft attacks. By isolating credentials in protected containers and utilizing hardware-backed security measures, it helps safeguard sensitive information. However, it should be part of a comprehensive security strategy that includes multiple layers of protection and strong authentication methods to ensure maximum security.