Secure Your Windows 10 Passwords with Credential Guard
Arguably the biggest improvement in Microsoft’s latest operating system, Windows 10, is its security features. With new tools and baked-in solutions for securing identities, data, and devices, you no longer have to rely on third party protection. One security improvement in particular has piqued my interest: Credential Guard.
To understand what Credential Guard does and how it helps keep you secure, we first need to look at what existing problem it is trying to solve. Since Windows 2000, Microsoft has been storing plain text logged in user passwords in memory. They do this using the process called Local Security Authority Subsystem Service (LSASS). Basically, Microsoft was using LSASS memory to allow logged in users to connect to other services without having to re-enter their password, a process known as pass-thru authentication. This was / is a great convenience for users, but because Microsoft failed to protect the contents of this memory, any system user could use a relatively trivial attack to obtain the password and password hashes of any logged in user.
Imagine you are connected into a terminal server with a hundred other users and you can read the contents of the LSASS memory and display all user passwords in plain text. The same could be done on any server or workstation running Windows. This is obviously a major security hole and hackers wasted no time in exploiting this weakness with attacks such as “Pass the Hash” as well as just stealing plain text passwords. These attacks were likely leveraged in the Sony, Home Depot and Target security breach where large amounts of systems were compromised after breaching only one entry system.
To better understand what this looks like, I have included two screenshots below.
This screenshot shows this weakness exploited on a Windows 7 fully patched workstation. Notice the passwords and NTLM hashes are in clear text.
This screenshot shows the same attack performed on a Window 10 workstation. Notice the missing passwords and hashes.
By using virtualization-based security, Windows 10 protects your passwords and hashes. The LSA process in the operating system talks to the isolated LSA by using remote procedure calls. Data stored by using virtualization-based security is not accessible to the rest of the operating system. This can be seen in the graphic below.