Credential protection in Windows: An overview 9/20/2018 3:28 PM BRK2077 Credential protection in Windows: An overview Yogesh Mehta Principal Program Manager Lead ymehta@microsoft.com Twitter: @yogeshmehta © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential protection in Windows: An overview 9/20/2018 3:28 PM Credential protection in Windows: An overview Yogesh Mehta Principal Program Manager Lead ymehta@microsoft.com Twitter: @yogeshmehta © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Session objectives and takeaways Tech Ready 15 9/20/2018 Session objectives and takeaways Session objectives: Learn about credential theft Overview of credential protection How credential protection extends to cloud connected devices Learn about what’s new in 2017 Takeaways: Deploy Now! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TURBULENT TIMES 160 MILLION customer records compromised 9/20/2018 3:28 PM TURBULENT TIMES 160 MILLION customer records compromised 229 DAYS between infiltration and detection $3 MILLION of cost/business impact per breach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ Credential theft is today’s crisis 9/20/2018 3:28 PM Yahoo Reveals Massive Breach of Data from 500M Accounts “ …The stolen information, according to Yahoo, could include names, email addresses, dates of birth, telephone numbers, password information, and possibly the question-answer combinations for security questions, which are often used to reset passwords,” Paul Blake, ABC News September 22 2016 Credential theft is today’s crisis Source: “Yahoo Reveals Massive Data Breach.. ABC News Sep 22 2016 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

“ And the hits keep on coming.. 9/20/2018 3:28 PM Equifax data breach may affect half US population “ Thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million” Alfred Ng, CNET September 7 2017 And the hits keep on coming.. Source: https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/ © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential Theft and Lateral Traversal 9/20/2018 3:28 PM Credential Theft and Lateral Traversal © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is Single Sign-on (SSO)? 9/20/2018 3:28 PM What is Single Sign-on (SSO)? Users enter credentials once Signing on provides credentials to Windows Security support providers (SSPs) receive a copy of the credentials SSPs cache the credential or derived credentials Applications authenticate transparently No prompting is required for the signed on user © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What are credentials? Usernames & passwords 9/20/2018 3:28 PM What are credentials? Usernames & passwords Certificates or public/private key pairs Derived credentials Used by protocols, for example: NTLM NT one way function(OWF) Kerberos DES, RC4, AES long-lived keys TGT session keys Service ticket session keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What data can an admin access? 9/20/2018 3:28 PM What data can an admin access? Well-behaved admins Can only access data which the local administrator group has permissions Admins can elevate to system Or they can add rights to their access token. Or they can load drivers which can effectively grant them kernel privileges. The result is access to any data to which the operation system has access. This includes LSA secrets. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

How on-prem credential theft attacks work Step 1: Get Administrator privilege on device Step 2: Read secrets from protected memory Step 3: Use secrets to attack other devices to obtain administrator privilege Repeat until obtain domain administrator privilege

How this results in gaining domain admin TechReady 23 9/20/2018 3:28 PM How this results in gaining domain admin Control Data and Services Access © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Conditions required for credential theft attacks 9/20/2018 3:28 PM Conditions required for credential theft attacks Admin privilege Attacker can elevate to SYSTEM Available Credentials present to extract Extractable Ability to remove credential from device Usable Ability to use credential from another device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential Protections to date Win10 v1507 Credential Guard for signed-in user Domain-joined device can sign on with public key Kerberos IPV4/6 address hostname support Win10 v1703 Remote Credential Guard for supplied credentials Token Binding protocol w/ VBS protection WS 2012 R2 Protected Users DC-side protections Authentication Policies WS2016 Kerberos key trust PKINIT freshness extension DC-side Rolling public key user's NTLM secrets Allowing network NTLM when user restricted to specific devices Win10 v1607 Remote Credential Guard for signed- in user PKINIT freshness extension client- side Win 8.1 Reduces plaintext password exposure Delete credentials on sign-off Protected Users Restricted Admin Local account & member of administrators group Win10 v1709 MDM support for Credential Guard & VBS 2014 2015 2016 2017

The “Guards” Kerberos NTLM CredMan Token Binding Smart Cards Microsoft Accounts Azure AD Virtualization Based Security (VBS) Hello Credential Guard Kerberos secrets NTLM secrets Saved Domain credentials Key Guard Auth blob Token Binding Keys Private Key TPM MSA secrets AAD secrets Private Key VBS Key

Credential Guard 9/20/2018 3:28 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is virtualization-based security? 9/20/2018 3:28 PM What is virtualization-based security? The technology Credential Guard is built on Without it, there is no Credential Guard Uses the hypervisor for memory protection VBS solutions run at a higher privilege than even the kernel. These higher privileged modes are known as “Virtual Trust Levels” Isolated User Mode (IUM) Secure execution environment in Windows Nothing in “normal mode” may access the IUM memory. Credential Guard runs in IUM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Interactions between Normal 9/20/2018 3:28 PM Interactions between Normal Attempts to read & write data fail Able to read & write to data User with Admin privileges Isolated User Mode Normal Mode RPC © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Why is this better? The attack surface of Windows is very large 9/20/2018 3:28 PM Why is this better? The attack surface of Windows is very large The Windows kernel API is very broad Administrators easily gain full SYSTEM access Virtual trust levels move the bar The attack surface is reduced to the hypervisor & firmware Users are removed from the equation © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What credentials are protected 9/20/2018 3:28 PM What credentials are protected Logon session’s NTLM NTOWF Supplied credentials (in v1709 and later) Logon session’s Kerberos Username & password until initial TGT is obtained Long term keys: DES, RC4 ==NTOWF, AES TGT session keys Service ticket session keys (in v1709 and later) Credential Manager Stored domain credentials © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Deployment Requirements 9/20/2018 3:28 PM Deployment Requirements DC Requirements None Device Requirements Windows 10 v1511 or later OR Windows Server 2016 x64 architecture UEFI firmware version 2.3.1 or higher and Secure Boot Trusted Platform Module (TPM) version 1.2 or 2.0 recommended Device Guard and Credential Guard Hardware Readiness Tool: https://www.microsoft.com/download/details.aspx?id=53337 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Group Policy Microsoft Ignite 2016 9/20/2018 3:28 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Examples of credentials not protected by Win 10 Credential Guard Local SAM accounts Microsoft accounts Credentials managed by applications

Deployment considerations Microsoft Ignite 2016 9/20/2018 3:28 PM Deployment considerations 3rd party Security Support Providers (SSPs) secrets are not protected by Credential Guard NTLM v1 is blocked Note since Credential Guard protected signed on credentials, MS-CHAPv2 will prompt for credentials. Upgrade Wi-Fi & VPN if needed Kerberos unconstrained delegation is blocked © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security considerations Microsoft Ignite 2016 9/20/2018 3:28 PM Security considerations User input vulnerabilities are unchanged Move to bound public keys for sign on See BRK2076: Windows Hello for Business: What’s New in 2017 Security threats evolve. So will we © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

To Learn More about Credential Guard 9/20/2018 3:28 PM To Learn More about Credential Guard Microsoft Virtual Academy Deep Dive into Credential Guard Channel 9 Windows 10 Virtual Secure Mode Isolated User Mode in Windows 10 Isolated User Mode Processes and Features in Windows 10 Mitigating Credential Theft using the Windows 10 Isolated User Mode Publications Protect derived domain credentials with Credential Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential Protection for AADJ devices 9/20/2018 3:28 PM Credential Protection for AADJ devices © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Credential Protection for AADJ devices Different protections for different types of credentials AAD device key and Windows Hello key are protected by TPM Derived credentials (Kerberos TGT and NTLM hash) are protected using VBS Primary Refresh Token is encrypted using session key which is tied to the TPM Refresh token and access token are protected using token binding, with Token Binding key protected with VBS Token binding Token Binding protocol allows applications and services to cryptographically bind their security tokens to the TLS layer to mitigate token theft and replay attacks Details: https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding

Enabling VBS and Credential Guard on AADJ With v1709, you can enable VBS and Cred Guard using MDM DeviceGuard/EnableVirtualizationBasedSecurity DeviceGuard/LsaCfgFlags DeviceGuard/RequirePlatformSecurityFeatures For setting the policy: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard  For getting status after application, look at Device Guard section: https://docs.microsoft.com/en-us/windows/client-management/mdm/devicestatus-csp

VBS protection for keys 9/20/2018 3:28 PM VBS protection for keys © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Protecting keys when importing them Microsoft Ignite 2016 9/20/2018 3:28 PM Protecting keys when importing them When importing via PowerShell: Import-PfxCertificate -ProtectPrivateKey VSM test.pfx When importing via the Import wizard: © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Remote Credential Guard TechReady 23 9/20/2018 3:28 PM Remote Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Fixing a device provides attacker with admin credentials 9/20/2018 3:28 PM Fixing a device provides attacker with admin credentials Existing Solution Remote Desktop with Restricted Admin Problems Requires user to be admin on the Remote Desktop Server host (remote host) Outbound connections are as remote host identity No Multi-hop Remote Desktop connection support © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Remote Credential Guard 9/20/2018 3:28 PM Remote Credential Guard https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#remote-credential-guard-requirements DC Requirements None Remote Host Requirements Windows 10 Anniversary Update or Windows Server 2016 Domain-joined to trusting domain Restricted Admin enabled (opt in) Remote Desktop Client (RDC) Device Requirements Domain-joined (requires logon session) Line of sight to domain controllers © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Why is this better? Non-admin user can protect credentials Outbound connections are as user’s identity Multi-hop Remote Desktop connections supported When client disconnects No new authenticated connections can be made from remote host Existing authenticated connections can continue to work from remote host

To Learn More about Remote Credential Guard 9/20/2018 3:28 PM To Learn More about Remote Credential Guard Publications Protect Remote Desktop credentials with Remote Credential Guard Link: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

In review: session objectives and takeaways Tech Ready 15 9/20/2018 In review: session objectives and takeaways Deploy Now!! Review the documentation Try out scenarios Windows Insider Lab for Enterprise Report gaps so we can make it better Give us feedback: ymehta@microsoft.com © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related sessions BRK2075: Extending Windows Hello with trusted signals Tech Ready 15 9/20/2018 Related sessions BRK2075: Extending Windows Hello with trusted signals BRK2076: Windows Hello for Business: What’s New in 2017 BRK2078: Microsoft’s guide for going password-less THR2259: Microsoft’s guide for going password-less © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session Tech Ready 15 9/20/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/20/2018 3:28 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.