What Is Windows Credential Guard, and Should You Use It?
Reading Time: 4 minutesEnterprise and Pro versions of Windows 10 and Windows 11 offer Credential Guard, but what does that do, and how can you enable it?
Windows Credential Guard is a security feature that secures authentication credentials against malicious attacks. It prevents hackers from tampering with system tools or running malicious codes on your computer. This feature is available on Enterprise and Pro flavors of Windows 10 and Windows 11. You should consider enabling Credential Guard if you handle or access sensitive data locally or remotely on a Windows domain or workgroup.
What Is Credential Guard Exactly?
When you start your computer, a process called Local Security Authority Server Service (LSASS) authenticates the login credentials and grants you access. LSASS also stores these credentials (encrypted passwords, NT hashes, LM hashes, and Kerberos tickets) in memory during active sessions, so you don’t have to re-enter your password every time you need to make changes or access files.
Saving the credentials in memory during sessions is handy compared to the alternative: manual identity authentication at every step. Granted, entering authentication credentials now and then improves security. But authentication credentials are lengthy, especially in their hashed forms. It would be especially inconvenient if you had to make a change quickly and particularly frustrating if you made a mistake and had to reenter a password. And if you have to write down the password somewhere, this could potentially increase your security risk. LSASS handles authentications, so your device use is efficient.
But as you can imagine, with anything that stores valuable, sensitive data, LSASS is a jackpot for hackers. They can compromise LSASS through credential stealing attacks using tools like Mimikatz, Crackmapexec, and Lsassy. Hackers use these tools to delete, replace, or alter the real system file (lsass.exe).
There are ways to stop credential stealing before a hacker does immense damage, and it is possible to stop an attack once you’ve discovered it. However, it’s better to prevent the attack in the first place. Credential Guard protects against malicious attacks by creating an isolated LSASS process (LSAIso) that stores authentication data securely.
Why You Should Enable Credential Guard on Your PC
The security feature isolates login credentials from the rest of the system’s memory as well as the main process (lsass.exe) that handles authentication. So, it is essentially a black box.
You should use Credential Guard if you have several computers that are part of a domain or workgroup. Why? An attacker who compromises a device with admin login credentials can compromise the entire network. Enabling this feature effectively prevents an attacker from getting total control of sensitive information if they compromise a system.
Your System Must Meet Requirements
Windows Credential Guard is exclusive to the Enterprise and Pro flavors of Windows 10 and 11. Recent versions of Windows Servers also have this security feature, but the device must meet strict hardware and software requirements.
For starters, the device must have a 64-bit CPU (to support virtualization-based security) and secure boot. Microsoft also recommends having Trusted Platform Module (TPM) versions 1.2 or 2.0 and UEFI lock (to prevent attackers from bypassing the security setup with regedit). You can check the baseline requirements based on the computer or server you want to protect.
How to Enable Credential Guard on Windows
Your computer or server will have Credential Guard enabled by default if it meets Microsoft’s baseline requirements. To check if this security feature is enabled already, press Start then type ‘msinfo32.exe’. Select System Information > System Summary. You should see ‘Virtualization-based security Services Running’ and ‘Credential Guard, Hypervisor enforced Code Integrity’ next to each other.
If Credential Guard is not enabled on your computer, you can enable the feature in three main ways: through Group Policy, editing Windows Registry, or using Microsoft Intune. There’s also the option to enable Credential Guard with UEFI lock if you’re a power user. Most admins will find enabling this feature easier with Group Policy.
How to Disable Credential Guard on Windows
Despite its usefulness in preventing credential stealing and Pass the Hash attacks, Credential Guard will cause some services and protocols to break. For instance, enabling the security feature prevents you from using Windows To Go, Kerberos unconstrained delegation, and DES encryption.
Also, you cannot use third-party Security Support Providers (SSPs) because they are vulnerable to credential stealing attacks. Wi-Fi and VPN endpoints based on MS-CHAPv2 are equally vulnerable and will be disabled when you enable Credentials Guard.
If you need some of the aforementioned features, you can disable Credential Guard for however long you need. But be sure to set a reminder to re-enable it.
Disabling With Group Policy Editor
Your first option is to disable Credential Guard by changing the Group Policy settings.
To do this, press Start and type ‘gpedit’, then select Edit Group Policy. Go to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security > Options. Set ‘Credential Guard Configuration’ to Disabled, click OK to save the change and then restart your computer.
Disabling With Regedit
This option is great if you have enabled Defender Credential Guard using a different method from UEFI Lock and Group Policy. To disable Credential Guard with Regedit, press Start and type ‘regedit’. Select Registry Editor. First, navigate to file path HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LsaCfgFlags and set the value to ‘0’.
Next, navigate back to HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\LsaCfgFlags and set the value to ‘0’.
You can also follow Microsoft’s instructions for disabling Credential Guard with UEFI lock or disabling the security feature on a virtual machine.
Enabling Credential Guard Is Only a Prevention
The rule of thumb is to install a fence around your garden before planting, especially if you live in an area with livestock on free roam. That fence would be useless if you already have goats on your property—in which case, you’d need to chase them out.
The same principle applies to safeguarding your sensitive login data. When enabled, Credential Guard prevents hackers from stealing your data. However, it would be ineffective if the attacker has already established themselves in your network or compromised the device. So, if you decide to use this security feature on a new work computer, make sure it’s enabled before the computer joins the Windows domain or workgroup.
Reference: https://www.makeuseof.com/what-is-windows-credential-guard/