Traditional methods such as antivirus solutions provide insufficient defence against new attack methods. Device Guard and Credential Guard are some of the new defence methods developed to protect systems against malicious software. The work they do is different from each other, but they are activated within the same process. When Device Guard is enabled, it will be enabled in Credential Guard. Device Guard and Credential Guard feature are included in Windows 10 Enterprise version.

Credential Guard

The passwords we use while logging in to the system are kept in memory during the session. Even when we restart our computer, the passwords of users who have previously logged into our computer can be accessed. With identity theft attacks such as Pass-The-Hash and Pass-The-Ticket, our passwords can be compromised by unwanted people. With Credential Guard, we protect NTLM password hashes, credential manager records, and Kerberos granting tickets.

Working Status of Credential Guard

User session passwords are stored in the Local Security Authority (LSA). LSA is physically kept in memory in previous versions of Windows. When Windows 10 Credential Guard is enabled, LSA is not kept in memory. It is kept in a virtualized and isolated container with Hyper-V. This container is called Virtual Secure Mode (VSM). Only the kernel can communicate with the LSA taken in the virtual container. RPC commands are used during communication. The rest of the operating system cannot communicate with the LSA. With Credential Guard, Kerberos, NTLM and Crenditial Manager passwords are protected by creating a virtualization-based (hyper-v) firewall.

Isolated LSA in VSM does not contain any device drivers for security reasons. Instead, it contains a small binary set to keep the files safe. The binary set is validated before boot with a certificate trusted by VSM. The set includes Kernel Mode Code Integrity (KMCI) and Hyper Code Integrıty (HVCI). When the Credential guard is activated, it causes the LSA itself (LSASS) and an isolated instance (LSAIsor – Isolated LSA) to be formed.

Enabling Credential Guard

In order to enable Credential Guard protection on computers, we turn the “Secure Boot” and “Virtualization Technology” features to “Enabled” via the BIOS in the picture below.

With the policy I will make over the GPO, the Hyper-V Platform feature will be installed automatically. After highlighting the OU where we will apply the policy on the Group Policy Management screen, we create a new policy and click edit and perform the following operations.

Go to “Computer Configuration/Administrative Templates/System/Device Guard” on Group Policy Management Console.

We activate it and make the security settings as follows. With the “Enable with UEFI lock” option, we disable the remote adjustment of VSM settings. If we want to withdraw from this setting, physical access to individual computers is required. “Enable without lock” allows remote access. If we want to disable it, we can use group policies.