Windows 10 has introduced several new security features. One new security feature which has been added is called Credential Guard, that helps protect derived domain credentials.
Credential Guard in Windows 10
Credential Guard is one of the main security features available with Windows 10. It allows protection against hacking of domain credentials thereby preventing hackers from taking over the enterprise networks. Along with features like Device Guard and Secure Boot, Windows 10 is more secure than any of the previous Windows operating system.
What is Credential Guard feature in Windows 10
As its name indicates, this feature in Windows 10 safeguards credentials in and across user domains in a network. While previous operating systems from Microsoft used to store ID and password for user accounts in local RAM, Credential Guard creates a virtual container and stores all domain secrets in that virtual container that the operating system cannot access directly. You do not need external virtualization. The feature makes use of Hyper-V that you can configure in Programs and Features applet in the Control Panel.
When hackers compromised a Windows operating system earlier, they could get access to the hash used to encrypt the user credentials, as it would be stored in local RAM, without much protection. With Credential Manager, credentials are stored in a virtual container so that even if hackers compromise the system, they cannot access the hash. That way, they cannot penetrate computers on the network.
In short, the Credential Guard feature in Windows 10 increases the security of domain credentials and related hashes so that it becomes almost impossible for hackers to access the secret and apply it to other computers. Thus any possibility of attack is stopped at entrance only. I won’t say Credential Guard is unbreakable, but it sure increases the level of security so that your computer and the network is safe.
Against the Credential Guards in previous versions of Windows, the one in Windows 10 disallows several protocols that may allow hackers to reach the virtual container where the hashed credentials are stored. However, the feature is not available for all computers.
Read: Remote Credential Guard protects Remote Desktop credentials.
Credential Guard System Requirements
There are a few limitations – especially if you are on budget laptops. Even Ultrabooks that don’t support Trusted Platform Module (TPM) cannot run Credential Guard though the book runs Windows 10 Enterprise.
Credential Guard runs only in the Enterprise Edition of Windows 10. If you are using Pro or Education, you won’t get to use this feature.
Your machine should be supporting Secure Boot and 64-bit virtualization. That leaves all 32-bit computers out of the scope of this feature.
This does not imply that you have to upgrade all your computers at the same time. You can use whatever computers that meet requirements after creating a sub-domain and putting incompatible computers into the sub-domain. When you configure the upper domains with Credential Guard and the incompatible computers are in a lower sub domain, the security will still be good enough to thwart credential hacking attempts.
Limits of Credential Guard
While some hardware requirements exist for Credential Guard in Windows 10 Enterprise edition, not everything is supposed to be protected by the feature. You should not expect the following from Credential Guard:
- Protection of local and Microsoft Accounts
- Protection of credentials managed by a third party software
- Protection against Key loggers.
Credential Guard will offer protection against direct hacking attempts and malware seeking credential information. If the credential information is already stolen before you could implement Credential Guard, it won’t prevent the hackers from using the hash key on other computers in the same domain.
For additional information and for scripts to manage Credential Guard feature in Windows 10, please visit TechNet.
Tomorrow we will see how to turn on Credential Guard by using Group Policy.