Security once focused on defensive measures at the perimeter, but Windows Defender Credential Guard plugs gaps...
inside the data center to thwart attacks launched from the network.
Once a malicious actor breaches the firewall and steals credentials, little can be done to stop them from having free rein across the network. Windows Defender Credential Guard is a feature in Windows Server 2016 that separates critical pieces of the operating system to thwart new threats, similar to microsegmentation in network virtualization.
For many IT administrators, the login process is a routine; they don't give it much thought. They change passwords regularly for security reasons, but more thorough protections are either too expensive or require too much effort to protect domain credentials from hackers.
Not all accounts are equal, and one of the most important is the domain admin account. It has all-encompassing privileges and access to it should be limited, and that is where the problem lies.
Few people should log in with the domain admin account, but many administrators will log in with their accounts that have domain admin privileges. If a hacker has access to the main admin account, it makes changing the admin account name and password pointless. Ideally, admins would use two different accounts -- one for normal tasks and one for admin tasks -- but this is not often the case. Admin accounts used on servers could come from compromised desktops and laptops.
Windows Defender Credential Guard steers access from credentials
Domain controllers store valuable login information that is desirable to a hacker. One means of protection, the Security Account Manager, has worked well in the past, but as technology has evolved, so has malware and the threats that reside in memory.
Windows Defender Credential Guard -- used in Windows Server 2016 and Windows 10 -- protects credentials with a feature called virtual secure mode. This feature uses a hypervisor to create a micro virtual machine (VM) designed to keep its process and memory isolated from the main OS.
Although it's similar in name, Windows Defender Remote Credential Guard protects credentials used in a remote desktop connection.
Windows Defender Credential Guard is a major upgrade for protection from Windows-based memory attacks because the VM does not occupy the same memory space as the OS. The micro VM is not immune to infections, but because its purpose is fixed and its function is isolated, the chances of exploitation are low.
Windows Defender Credential Guard requirements
The advantage of Windows Defender Credential Guard for Windows Server 2016 is it runs on the hypervisor without any extra add-ons.
Recommendations for Windows Defender Credential Guard include Unified Extensible Firmware Interface, a 64-bit platform, second-level address translation, virtualization extensions and Trusted Platform Module. Most modern servers have these features.
There are multiple aspects of the server operating system that could use this additional layer of protection, but administrators should consider its use for Windows Server 2016 installations.
There is one caveat: As a Hyper-V feature, Windows Defender Credential Guard cannot extend to other virtualized settings. Hyper-V nested virtualization with other hypervisors is possible, but it's not stable and not supported.