The third post in this series will start to look at how Hyper-V can be used to secure your Windows box. One of the things attackers will be on the hunt for is the stored username and password combination on your machine. These credentials get cached when you log on, in the format of a password hash, and introduces the need for something like Windows Defender Credential Guard.

With this hash, attackers can pass it on to resources on your network in an attempt to determine access to critical and/or confidential data.

When we enable Credential Guard, the user’s credentials are stored inside a protected virtual machine that is inaccessible to the host (your computer). When privileged software requires these credentials, the VM will pass the credentials to the application or service, whereby preventing access to unknown applications.

Credential Guard can be enabled in one of three ways: 1) Through Group Policy, 2) Via the Registry, or 3) Using the Windows Defender Device Guard and Credential Guard hardware readiness tool (located here). For the purposes of this post, and for this single purpose on a single machine, we’re going to use the Windows Registry.

Regardless of the method, the computer’s prerequisites remain the same. Following this series, you’re good from here

Step 1: Enable Credential Guard via Windows Registry

As with many of the security features available with Windows 10, Credential Guard is built into the system. The fastest way to test it out is to enable it via the registry.

Launch RegEdit, and we’ll need to change three keys:

  1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard
    1. EnableVirtualizationSecurity = 1 (Default 0)
    2. RequirePlatformServices = 1 (1 for SecureBoot, 3 for Secure Boot and DMA Protection. Either will work for Credential Guard)

  2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    1. LsaCfgFlags = 1 (Default 0 [disabled], 1 enables Credential Guard with UEFI Lock, 2 enables Credential Guard without UEFI lock)

Step 2: Validate

It really is just as simple as that. By flipping those keys, Hyper-V stored your credentials in a protected instance. To validate that Credential Guard is applied, you can run msinfo and look for Virtualization in the list…

Hope this helps!

É

Advertisements