End the game for Credential Theft with Windows 10 Microsoft Ignite 2016 10/7/2017 3:12 AM BRK2132 End the game for Credential Theft with Windows 10 Yogesh Mehta Principal Program Manager Lead ymehta@microsoft.com Twitter: @yogeshmehta © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Objectives and takeaways Tech Ready 15 10/7/2017 Objectives and takeaways Objectives: Discuss credential guard including its limitations Discuss remote credential guard and how it protects credentials from attackers on remote desktop servers See how the credential protections to date complement each other and build a stronger defense against credential theft attacks No one protection covers all attack surfaces Try it out!! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ Credential theft is today’s crisis 10/7/2017 3:12 AM Yahoo Reveals Massive Breach of Data from 500M Accounts “ …The stolen information, according to Yahoo, could include names, email addresses, dates of birth, telephone numbers, password information, and possibly the question-answer combinations for security questions, which are often used to reset passwords,” Paul Blake, ABC News September 22 2016 Credential theft is today’s crisis Source: “Yahoo Reveals Massive Data Breach.. ABC News Sep 22 2016 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ United States Office of Personnel Management 10/7/2017 3:12 AM United States Office of Personnel Management “ It could be the single most damaging breach to US national security of all time. Those who have access to some of the most sensitive data in the world had their entire backgrounds checks … stolen by an unknown assailant. We have yet to see the repercussions of the breach, but it could harm the US' domestic and foreign diplomatic and intelligence work.” Zach Whittaker ZDNET: October 2, 2015 Source: 2015's biggest data breaches: CVS, Anthem, IRS, and worse, Zack Whittaker, ZDNet, October 2, 2015 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/7/2017 3:12 AM Mark Zuckerberg’s Twitter, LinkedIn, and Pinterest accounts were hacked. Source: Ian Mount, @ianmount, June 6, 2016 – 6:39 AM EDT © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Nations, Terror Groups, Activists 10/7/2017 Evolution of Attacks Mischief Fraud and Theft Damage and Disruption Script Kiddies Organized Crime Nations, Terror Groups, Activists Unsophisticated More sophisticated Very sophisticated and well resourced © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

-JAMES COMEY, FBI DIRECTOR “There are two kinds of big companies, those who’ve been hacked, and those who don’t know they’ve been hacked.” -JAMES COMEY, FBI DIRECTOR © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The Windows 10 Defense Stack 10/7/2017 The Windows 10 Defense Stack PROTECT, DETECT & RESPOND PRE-BREACH POST-BREACH Device protection Device Health attestation  Device Guard Device Control Security policies Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello ;) Identity protection Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Windows Defender ATP Breach detection investigation & response Device protection Threat resistance Identity protection Information protection Breach detection investigation & response Conditional Access Windows Defender ATP Device integrity Device control BitLocker and BitLocker to Go Windows Information Protection SmartScreen Windows Firewall Microsoft Edge Device Guard Windows Defender Windows Hello Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

The Windows 10 Defense Stack 10/7/2017 The Windows 10 Defense Stack PROTECT, DETECT & RESPOND PRE-BREACH POST-BREACH Device protection Device integrity Device control Threat resistance SmartScreen Windows Firewall Microsoft Edge Device Guard Windows Defender Windows Hello Credential Guard Identity protection Windows Hello ;) Credential Guard Identity protection Information protection BitLocker and BitLocker to Go Windows Information Protection Information protection BitLocker and BitLocker to Go Windows Information Protection Conditional Access Windows Defender ATP Breach detection investigation & response © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Credential Theft & Lateral Traversal TechReady 23 10/7/2017 3:12 AM Credential Theft & Lateral Traversal © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What are credentials? Username & passwords Certificates or public key pairs Derived credentials Used by protocols, for example: NTLM NT one way function(OWF) Kerberos DES, RC4 ==NTOWF, AES keys TGT session keys Service ticket session keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What data can an admin access? 10/7/2017 3:12 AM What data can an admin access? Well-behaved admins Can only access data which the local administrator group has permissions Admins can elevate to system Or they can add rights to their access token. Or they can load drivers which can effectively grant them kernel privileges. The result is access to any data to which the operation system has access. This includes LSA secrets. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How on-prem credential theft attacks work Step 1: Get Administrator privilege on device Step 2: Read LSA secrets Step 3: Use secrets to attack other devices to obtain administrator privilege Repeat until obtain domain administrator privilege

How this results in gaining domain admin TechReady 23 10/7/2017 3:12 AM How this results in gaining domain admin Control Data and Services Access © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Conditions for credential theft attacks 10/7/2017 3:12 AM Conditions for credential theft attacks Available Credentials present to extract Extractable Ability to remove credential from device Usable Ability to use credential from another device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential Guard TechReady 23 10/7/2017 3:12 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Attacker can read LSA protected secrets 10/7/2017 3:12 AM Attacker can read LSA protected secrets Credential Guard’s Purpose Uses virtualization-based security to protect domain account Kerberos & NTLM credentials from theft by malicious software. Credential Guard protects both logon session and Credential Manager credentials. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtualization based security

Windows 7 platform stack 10/7/2017 Windows 7 platform stack Device Hardware Kernel Windows Platform Services Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Critical assets separated AND PROTECTED 10/7/2017 Critical assets separated AND PROTECTED CARCASSONNE, FRANCE © 2016 HERE © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Virtualization-based security in Windows 10 10/7/2017 Virtualization-based security in Windows 10 Windows Operating System Kernel Windows Platform Services Apps System Container Kernel Trustlet #1 Trustlet #2 Trustlet #3 Hyper-V Hyper-V Device Hardware Nestable Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Device Guard and Credential Guard 10/7/2017 Device Guard and Credential Guard Windows Operating System Kernel Windows Platform Services Apps System Container Kernel Device Guard Credential Guard Trustlet #3 Hyper-V Hyper-V Device Hardware Nestable Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION

Why is this better? Kerberos, NTLM, & Credential Manager do not release signed on domain user’s secrets Reduces attack surface from entire OS to hypervisor & firmware

What credentials are protected 10/7/2017 3:12 AM What credentials are protected Logon session’s NTLM NTOWF Logon session’s Kerberos Username & password until initial TGT is obtained Long term keys: DES, RC4 ==NTOWF, AES TGT session keys Credential Manager Stored domain credentials © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deployment Requirements 10/7/2017 3:12 AM Deployment Requirements DC Requirements None Device Requirements Windows 10 v1511 or later OR Windows Server 2016 x64 architecture UEFI firmware version 2.3.1 or higher and Secure Boot Trusted Platform Module (TPM) version 1.2 or 2.0 recommended Device Guard and Credential Guard Hardware Readiness Tool: https://www.microsoft.com/download/details.aspx?id=53337 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Group Policy Microsoft Ignite 2016 10/7/2017 3:12 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Examples of credentials not protected by Win 10 Credential Guard Local SAM accounts Microsoft accounts Azure Active Directory accounts Credentials managed by applications

Deployment considerations Microsoft Ignite 2016 10/7/2017 3:12 AM Deployment considerations 3rd party Security Support Providers (SSPs) secrets are not protected by Credential Guard NTLM v1 is not supported Note since Credential Guard protected signed on credentials, MS-CHAPv2 will prompt for credentials. Upgrade Wi-Fi & VPN if needed Kerberos unconstrained delegation is not supported © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security considerations Microsoft Ignite 2016 10/7/2017 3:12 AM Security considerations User input vulnerabilities are unchanged Move to bound public keys for sign on See BRK2134: Deploy and Manage Windows Hello for Business Security threats evolve. So will we © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Monitoring Credential Guard 10/7/2017 3:12 AM Monitoring Credential Guard MSINFO32 If deployed or not System Log, Source: WinInit, Event ID: 14, Level: Informational Credential Guard (LsaIso.exe) configuration: [setting], [mode] Setting: 0x1: Enabled 0x0: Disabled Deployed and running System Log, Source: WinInit, Event ID: 13, Level: Informational Credential Guard (LsaIso.exe) was started and will protect LSA credentials. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Troubleshooting Credential Guard 10/7/2017 3:12 AM Troubleshooting Credential Guard Failures to run credential guard System Log, Source: WinInit, Event ID: 15, Level: Warning Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. System Log, Source: WinInit, Event ID: 16, Level: Error Credential Guard (LsaIso.exe) failed to launch: [error code] System Log, Source: WinInit, Event ID: 17, Level: Error Error reading Credential Guard (LsaIso.exe) UEFI configuration: [error code] © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

To Learn More about Credential Guard 10/7/2017 3:12 AM To Learn More about Credential Guard Microsoft Virtual Academy Deep Dive into Credential Guard Channel 9 Windows 10 Virtual Secure Mode Isolated User Mode in Windows 10 Isolated User Mode Processes and Features in Windows 10 Mitigating Credential Theft using the Windows 10 Isolated User Mode Publications Protect derived domain credentials with Credential Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Remote Credential Guard TechReady 23 10/7/2017 3:12 AM Remote Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Fixing a device provides attacker with admin credentials 10/7/2017 3:12 AM Fixing a device provides attacker with admin credentials Existing Solution Remote Desktop with Restricted Admin Problems Requires user to be admin on the Remote Desktop Server host (remote host) Outbound connections are as remote host identity No Multi-hop Remote Desktop connection support © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Remote Credential Guard 10/7/2017 3:12 AM Remote Credential Guard DC Requirements None Remote Host Requirements Windows 10 Anniversary Update or Windows Server 2016 Domain-joined to trusting domain Restricted Admin enabled (opt in) Remote Desktop Client (RDC) Device Requirements Domain-joined (requires logon session) Line of sight to domain controllers © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Why is this better? Non-admin user can protect credentials Outbound connections are as user’s identity Multi-hop Remote Desktop connections supported When client disconnects No new authenticated connections can be made from remote host Existing authenticated connections can continue to work from remote host

What credentials are protected 10/7/2017 3:12 AM What credentials are protected User’s password never passed to remote host Remote Host’s NTLM NTOWF Remote Host’s Kerberos Long term keys: DES, RC4 ==NTOWF, AES TGT session keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Examples of credentials not protected by Remote Credential Guard Credentials entered on the remote host desktop Kerberos Service Ticket session keys

Configuration: Remote Host Using Registry Editor: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. New DWORD: DisableRestrictedAdmin Value: 0: Enable support for Restricted Admin & Remote Credential Guard 1: Disable Scripting: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD

Client Group Policy

Deployment considerations Only remote desktop sessions from AD domain users supported Remote desktop sessions using local SAM accounts, Microsoft accounts, or Azure Active Directory accounts are unchanged Only signed on user’s credentials are protected Remote desktop sessions using prompted credentials are unchanged Accessing resources requires line of sight to DCs Remote hosts obtain Kerberos service tickets for resources Compound authentication is not supported Resources which require compound identity cannot be accessed by remote hosts

To Learn More about Remote Credential Guard 10/7/2017 3:12 AM To Learn More about Remote Credential Guard Publications Protect Remote Desktop credentials with Remote Credential Guard Link: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Sessions BRK2129: Drop the hammer down on malware threats with Windows 10’s Device Guard BRK2133: Expand Windows Hello family to companion devices and browser BRK2134: Deploy and Manage Windows Hello for Business BRK2239: Delight users and IT with modern identity experiences on Windows 10 IDL3068: Hands-On Learning: Deploy Device Guard IDL3073: Hands-On Learning: Breach resistance security in Windows Server 2016 BRK3119: Transform MSIT’s security posture: the approach and lessons learned from our Windows 10 deployment

In review: session objectives and takeaways Tech Ready 15 10/7/2017 In review: session objectives and takeaways Session objective(s): Discuss credential guard including its limitations: works only for domain accounts Discuss remote credential guard and how it protects credentials from attackers on remote desktop servers: upgrade your servers See how the credential protections to date complement each other and build a stronger defense against credential theft attacks No one protection covers all attack surfaces Try it out and give us feedback Contact: ymehta@microsoft.com © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Visit the Insiders at the Microsoft Showcase in Expo Hall 10/7/2017 3:12 AM Windows Insider Program Be a part of the community Help shape the Windows experience for millions of people Get early access to releases Deploy Windows 10 devices efficiently Visit the Insiders at the Microsoft Showcase in Expo Hall http://insider.windows.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thank you

Please evaluate this session 10/7/2017 3:12 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/7/2017 3:12 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.