Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise , helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. The two are different, but complimentary as they offer different protections against different types of threats.
VSM is a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities. The way this works is the Hyper-V hypervisor is installed — the same way it gets added in when you install the Hyper-V role. The diagram below illustrates the relationship of the hypervisor with the installed operating system usually referred to as the host operating system.
The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware, rather than the host OS Windows directly interacting at that layer. The hypervisor serves to abstract the host OS and any guest OS or processes from the underlying hardware itself, providing control and scheduling functions that allow the hardware to be shared. In this way, the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode.
The protections are hardware assisted, since the hypervisor is requesting the hardware treat those memory pages differently. From here, we now have a protected mode where we can run security sensitive operations. While this Trustlet-specific communication is allowed, having malicious code or users in the Host OS attempt to read or manipulate the data in VSM will be significantly harder than on a system without this configured, providing the security benefit.
This is to allow all of the standard calls to LSA to still succeed, offering excellent legacy and backwards compatibility, even for services or capabilities that require direct communication with LSA. Deploying VSM is fairly straightforward.
You simply need to verify you have the appropriate hardware configuration, install certain Windows features, and configure VSM via Group Policy. It actually is the Virtual Secure Mode feature — you can thank a last minute name change for that. Update: In Windows 10, Version this is indeed an integrated feature and no longer needs to be explicitly enabled.
Enabling this setting, and leaving all the settings blank or at their defaults will turn on VSM, ready for the steps below for Device Guard and Credential Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system.
When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows CCI dramatically changes the trust model of the system to require that code is signed and trusted for it to run. Other code simply cannot execute. While this is extremely effective from a security perspective, it provides some challenges in ensuring that code is signed.
Your existing applications will likely be a combination of code that is signed by the vendor, and code that is not. For code that is signed by the vendor, the easiest option is just to use a tool called signtool. KMCI is the component that handles the control aspects of enforcing code integrity for kernel mode code.
Device Guard and Credential Guard are two important security features of the Microsoft Windows Server operating system that leverage virtualization capabilities from the hardware and the hypervisor to provide additional protection for critical subsystems and data. Customers can implement these features to secure their devices and data, such as user or system secrets, and hashed credentials.
To benefit from these two features, the servers you are protecting must meet certain baseline hardware, firmware and software requirements. This document introduces Device Guard and Credential Guard, and shows users how to enable them on supported Lenovo ThinkSystem servers. This paper is intended for IT specialists, technical architects and sales engineers who want to learn more about Device Guard and Credential Guard and how to enable them.
It is expected that readers have some experience with Windows Server administration. Lenovo Lenovo Press. Author Guiqing Li. Subscribe to Updates.
0コメント