Windows Virtual Desktop and Windows Defender Credential Guard
Update: Now this feature is fully supported using Generation 2 Virtual Machines
Original Article:
NOTE:?this is something that is?NOT?currently supported by Windows Virtual Desktop... It's only me playing with a feature that is still in preview...
In 2015 I was a TSP (Technical Solution Professional) for Microsoft that basically means that I was a a pre-sale engineer responsible for the selling and adoption part of a specific solution. My specialization was Windows 10.
Lot of conversations about the value of Windows 10 Enterprise were focused on the security capabilities. This slide was in my standard discussion deck:
Ok ok, not all the names are up to date (Windows Defender Advanced Threat Protection is now Microsoft Defender for Endpoint) but you can spot the huge difference of security features between Windows 7 (Grey), Windows 10 Professional (Light Blue) and Windows 10 Enterprise (Blue).
My favorite feature? Windows Defender Credential Guard! Easy to implement, very useful... IMHO it's a feature that can justify alone the cost of Windows 10 Enterprise.
So what is Windows Defender Credential Guard? Well it's better for you to read this article but basically it helps to defend your domain credentials.
How it works? In a nutshell, it's using a virtualized sandbox called VBS (Virtualization Based Security) to maintain the credentials outside the Windows 10 Operating System boundaries.
If your OS is attacked with a pass the hash, pass the ticket attack (very common) the credentials are not stolen because they are stored in a "virtualized vault" outside the Operating System.
As you can see, you have the Hardware, the Hypervisor, the primary partition (the operating system) and on the left side, the virtualized vault with a separated kernel that is responsible to keep secrets like credentials as secure as possible.
In order to do that, you need to fulfill some requirement and until today, it was not possible to use this feature in Azure.
But at Ignite 2021 we announced that Trusted Lunch for Azure Virtual Machine is now in preview!!! And now it seems possible to have all the Credential Guard requirements.
So I believe we can give it a try...
So first of all I created a Windows 10 Enterprise 20H2 (Single Session) Virtual Machine in North Europe using the ARM template that I found in this article.
From System Information, I can check that "Secure Boot State" is "On"
Now from "Turn Widows Features on or off" I'm able to turn on "Hyper-V Services"
Yes I know you can enable Windows Defender Credential Guard also with a GPO or MEM or the dedicated readiness tool... But this time I did everything manually... You can check the other methods to achieve the same result and use the one that you prefer.
领英推荐
After a reboot I opened the registry editor and in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard I created a new DWORD named EnableVirtualizationBasedSecurity with value 1
And in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA I created another DWORD named LsaCfgFlags with value 2 (read the article above to understand all the possibilities)
After another reboot I can see from System Information that Credential Guard is enabled and I'm logged on a Virtual Machine in Azure!
I manually installed the Windows Virtual Desktop and FSLogix agents and I performed a login with my classic test account Albert King.
All good...
Now it's time to try if Windows Defender Credential Guard is working properly... And in order to do that, I would like to simulate a veeeeeery basic "pass the hash" attack using mimikatz. But in order to download this little hacking tool I need first to stop Windows Defender Antivirus because it's a very good Antimalware product so it would catch immediately my clumsy hacking tentative...
So Windows Security -> Virtus & Threat protection -> Manage settings
I'm doing a terrible thing! I'm switching off Real-Time protection and all the other protections... I'm feeling quite bad for that but it's only for a few seconds.
I downloaded Mimikatz from Github and I extracted the .zip file in a c:\Mimikatz folder.
Now I'm ready the commands that you must execute from a cmd session are:
The tool tried to retrieve the credentials stored inside the virtual machine but as you can see, it's able to catch my username alber.king, my domain MyWVDLab but regarding the credentials, it is able only to find a generic "Encrypted" alphanumeric value.
Same clumsy attack on another virtual machine hosted in another WVD Host Pool without Credential Guard and I'm now able to retrieve the hash of the NTLM Password.
Just to clarify it's not that easy to execute a pass the hash attack in a real situation but it's also true that the real hackers are 100000000000 better then me in performing attacks and also that lot of modern threats are trying to steal credential in order to gain good privileges so it's a real common problem and any mitigation technique is more than welcome...
Azure and Microsoft 365 can help prevent/mitigate risks (consider at least Multi Factor Authentication and Conditional Access) and because we are talking about Windows Virtual Desktop, please take a look at my excel that is giving you an overview of what a given level of license can offer in terms of security capabilities that you can apply to your WVD deployment.
In a nutshell, Windows Defender Credential Guard is very useful and easy to implement (the easiest way is through group policy or MEM policy)
Hogia Infrastructure Services | People & Technology manager
3 年Marco, this is beautiful! I would highly recommend you revisit this topic once the features are out of public preview. I'm sure the MSSP community would highly appreciate this??
Founder @CloudMatters | Enterprise Cloud Architect | Amateur Brewer | Speaker | Cloud Enthusiast | Microsoft Certified Trainer | Founder of the Microsoft Cloud & AI Netherlands Meetup
3 年So the big question would be.... .when will this be supported?