Presentation is loading. Please wait.

Presentation is loading. Please wait.

Credential protection in Windows: An overview

Published byこうじ ひらみね Modified over 6 years ago

Similar presentations

Presentation on theme: "Credential protection in Windows: An overview"— Presentation transcript:

1 Credential protection in Windows: An overview
9/20/2018 3:28 PM BRK2077 Credential protection in Windows: An overview Yogesh Mehta Principal Program Manager Lead © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Credential protection in Windows: An overview
9/20/2018 3:28 PM Credential protection in Windows: An overview Yogesh Mehta Principal Program Manager Lead © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Session objectives and takeaways
Tech Ready 15 9/20/2018 Session objectives and takeaways Session objectives: Learn about credential theft Overview of credential protection How credential protection extends to cloud connected devices Learn about what’s new in 2017 Takeaways: Deploy Now! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 TURBULENT TIMES 160 MILLION customer records compromised
9/20/2018 3:28 PM TURBULENT TIMES 160 MILLION customer records compromised 229 DAYS between infiltration and detection $3 MILLION of cost/business impact per breach © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 “ Credential theft is today’s crisis
9/20/2018 3:28 PM Yahoo Reveals Massive Breach of Data from 500M Accounts …The stolen information, according to Yahoo, could include names, addresses, dates of birth, telephone numbers, password information, and possibly the question-answer combinations for security questions, which are often used to reset passwords,” Paul Blake, ABC News September Credential theft is today’s crisis Source: “Yahoo Reveals Massive Data Breach.. ABC News Sep © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 “ And the hits keep on coming..
9/20/2018 3:28 PM Equifax data breach may affect half US population Thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million” Alfred Ng, CNET September And the hits keep on coming.. Source: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Credential Theft and Lateral Traversal
9/20/2018 3:28 PM Credential Theft and Lateral Traversal © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 What is Single Sign-on (SSO)?
9/20/2018 3:28 PM What is Single Sign-on (SSO)? Users enter credentials once Signing on provides credentials to Windows Security support providers (SSPs) receive a copy of the credentials SSPs cache the credential or derived credentials Applications authenticate transparently No prompting is required for the signed on user © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 What are credentials? Usernames & passwords
9/20/2018 3:28 PM What are credentials? Usernames & passwords Certificates or public/private key pairs Derived credentials Used by protocols, for example: NTLM NT one way function(OWF) Kerberos DES, RC4, AES long-lived keys TGT session keys Service ticket session keys © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 What data can an admin access?
9/20/2018 3:28 PM What data can an admin access? Well-behaved admins Can only access data which the local administrator group has permissions Admins can elevate to system Or they can add rights to their access token. Or they can load drivers which can effectively grant them kernel privileges. The result is access to any data to which the operation system has access. This includes LSA secrets. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 How on-prem credential theft attacks work
Step 1: Get Administrator privilege on device Step 2: Read secrets from protected memory Step 3: Use secrets to attack other devices to obtain administrator privilege Repeat until obtain domain administrator privilege

12 How this results in gaining domain admin
TechReady 23 9/20/2018 3:28 PM How this results in gaining domain admin Control Data and Services Access © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Conditions required for credential theft attacks
9/20/2018 3:28 PM Conditions required for credential theft attacks Admin privilege Attacker can elevate to SYSTEM Available Credentials present to extract Extractable Ability to remove credential from device Usable Ability to use credential from another device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Credential Protections to date
Win10 v1507 Credential Guard for signed-in user Domain-joined device can sign on with public key Kerberos IPV4/6 address hostname support Win10 v1703 Remote Credential Guard for supplied credentials Token Binding protocol w/ VBS protection WS 2012 R2 Protected Users DC-side protections Authentication Policies WS2016 Kerberos key trust PKINIT freshness extension DC-side Rolling public key user's NTLM secrets Allowing network NTLM when user restricted to specific devices Win10 v1607 Remote Credential Guard for signed- in user PKINIT freshness extension client- side Win 8.1 Reduces plaintext password exposure Delete credentials on sign-off Protected Users Restricted Admin Local account & member of administrators group Win10 v1709 MDM support for Credential Guard & VBS 2014 2015 2016 2017

15 The “Guards” Kerberos NTLM CredMan Token Binding Smart Cards
Microsoft Accounts Azure AD Virtualization Based Security (VBS) Hello Credential Guard Kerberos secrets NTLM secrets Saved Domain credentials Key Guard Auth blob Token Binding Keys Private Key TPM MSA secrets AAD secrets Private Key VBS Key

16 Credential Guard 9/20/2018 3:28 PM
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 What is virtualization-based security?
9/20/2018 3:28 PM What is virtualization-based security? The technology Credential Guard is built on Without it, there is no Credential Guard Uses the hypervisor for memory protection VBS solutions run at a higher privilege than even the kernel. These higher privileged modes are known as “Virtual Trust Levels” Isolated User Mode (IUM) Secure execution environment in Windows Nothing in “normal mode” may access the IUM memory. Credential Guard runs in IUM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Interactions between Normal
9/20/2018 3:28 PM Interactions between Normal Attempts to read & write data fail Able to read & write to data User with Admin privileges Isolated User Mode Normal Mode RPC © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Why is this better? The attack surface of Windows is very large
9/20/2018 3:28 PM Why is this better? The attack surface of Windows is very large The Windows kernel API is very broad Administrators easily gain full SYSTEM access Virtual trust levels move the bar The attack surface is reduced to the hypervisor & firmware Users are removed from the equation © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 What credentials are protected
9/20/2018 3:28 PM What credentials are protected Logon session’s NTLM NTOWF Supplied credentials (in v1709 and later) Logon session’s Kerberos Username & password until initial TGT is obtained Long term keys: DES, RC4 ==NTOWF, AES TGT session keys Service ticket session keys (in v1709 and later) Credential Manager Stored domain credentials © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Deployment Requirements
9/20/2018 3:28 PM Deployment Requirements DC Requirements None Device Requirements Windows 10 v1511 or later OR Windows Server 2016 x64 architecture UEFI firmware version or higher and Secure Boot Trusted Platform Module (TPM) version 1.2 or 2.0 recommended Device Guard and Credential Guard Hardware Readiness Tool: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Group Policy Microsoft Ignite 2016 9/20/2018 3:28 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Examples of credentials not protected by Win 10 Credential Guard
Local SAM accounts Microsoft accounts Credentials managed by applications

24 Deployment considerations
Microsoft Ignite 2016 9/20/2018 3:28 PM Deployment considerations 3rd party Security Support Providers (SSPs) secrets are not protected by Credential Guard NTLM v1 is blocked Note since Credential Guard protected signed on credentials, MS-CHAPv2 will prompt for credentials. Upgrade Wi-Fi & VPN if needed Kerberos unconstrained delegation is blocked © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Security considerations
Microsoft Ignite 2016 9/20/2018 3:28 PM Security considerations User input vulnerabilities are unchanged Move to bound public keys for sign on See BRK2076: Windows Hello for Business: What’s New in 2017 Security threats evolve. So will we © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 To Learn More about Credential Guard
9/20/2018 3:28 PM To Learn More about Credential Guard Microsoft Virtual Academy Deep Dive into Credential Guard Channel 9 Windows 10 Virtual Secure Mode Isolated User Mode in Windows 10 Isolated User Mode Processes and Features in Windows 10 Mitigating Credential Theft using the Windows 10 Isolated User Mode Publications Protect derived domain credentials with Credential Guard © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Credential Protection for AADJ devices
9/20/2018 3:28 PM Credential Protection for AADJ devices © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Credential Protection for AADJ devices
Different protections for different types of credentials AAD device key and Windows Hello key are protected by TPM Derived credentials (Kerberos TGT and NTLM hash) are protected using VBS Primary Refresh Token is encrypted using session key which is tied to the TPM Refresh token and access token are protected using token binding, with Token Binding key protected with VBS Token binding Token Binding protocol allows applications and services to cryptographically bind their security tokens to the TLS layer to mitigate token theft and replay attacks Details:

29 Enabling VBS and Credential Guard on AADJ
With v1709, you can enable VBS and Cred Guard using MDM DeviceGuard/EnableVirtualizationBasedSecurity DeviceGuard/LsaCfgFlags DeviceGuard/RequirePlatformSecurityFeatures For setting the policy:  For getting status after application, look at Device Guard section:

30 VBS protection for keys
9/20/2018 3:28 PM VBS protection for keys © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Protecting keys when importing them
Microsoft Ignite 2016 9/20/2018 3:28 PM Protecting keys when importing them When importing via PowerShell: Import-PfxCertificate -ProtectPrivateKey VSM test.pfx When importing via the Import wizard: © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Remote Credential Guard
TechReady 23 9/20/2018 3:28 PM Remote Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 Fixing a device provides attacker with admin credentials
9/20/2018 3:28 PM Fixing a device provides attacker with admin credentials Existing Solution Remote Desktop with Restricted Admin Problems Requires user to be admin on the Remote Desktop Server host (remote host) Outbound connections are as remote host identity No Multi-hop Remote Desktop connection support © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Remote Credential Guard
9/20/2018 3:28 PM Remote Credential Guard DC Requirements None Remote Host Requirements Windows 10 Anniversary Update or Windows Server 2016 Domain-joined to trusting domain Restricted Admin enabled (opt in) Remote Desktop Client (RDC) Device Requirements Domain-joined (requires logon session) Line of sight to domain controllers © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Why is this better? Non-admin user can protect credentials
Outbound connections are as user’s identity Multi-hop Remote Desktop connections supported When client disconnects No new authenticated connections can be made from remote host Existing authenticated connections can continue to work from remote host

36 To Learn More about Remote Credential Guard
9/20/2018 3:28 PM To Learn More about Remote Credential Guard Publications Protect Remote Desktop credentials with Remote Credential Guard Link: © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 In review: session objectives and takeaways
Tech Ready 15 9/20/2018 In review: session objectives and takeaways Deploy Now!! Review the documentation Try out scenarios Windows Insider Lab for Enterprise Report gaps so we can make it better Give us feedback: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Related sessions BRK2075: Extending Windows Hello with trusted signals
Tech Ready 15 9/20/2018 Related sessions BRK2075: Extending Windows Hello with trusted signals BRK2076: Windows Hello for Business: What’s New in 2017 BRK2078: Microsoft’s guide for going password-less THR2259: Microsoft’s guide for going password-less © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Please evaluate this session
Tech Ready 15 9/20/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40 9/20/2018 3:28 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Credential protection in Windows: An overview"

Similar presentations

Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
End the game for Credential Theft with Windows 10

End the game for Credential Theft with Windows 10
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Azure on Steroids: Full Automation with PowerShell

Azure on Steroids: Full Automation with PowerShell
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
SaaS Application Deep Dive

SaaS Application Deep Dive
Azure Cloud Shell Magic of Modern Command-line Management

Azure Cloud Shell Magic of Modern Command-line Management
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
6/17/2018 3:45 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

6/17/2018 3:45 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
Migrating your IaaS infrastructure from ASM to ARM without downtime

Migrating your IaaS infrastructure from ASM to ARM without downtime
Modernizing your Remote Access

Modernizing your Remote Access
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
Do more with Microsoft Word and Office 365

Do more with Microsoft Word and Office 365

Similar presentations

Ads by Google