Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63323 | WN10-00-000010 | SV-77813r1_rule | Medium |
Description |
---|
Credential Guard uses virtualization based security to protect secrets that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software. |
STIG | Date |
---|---|
Windows 10 Security Technical Implementation Guide | 2015-11-30 |
Check Text ( C-64057r2_chk ) |
---|
Verify domain-joined systems have a TPM enabled and ready for use. For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Verify the system has a TPM and is ready for use. Run "tpm.msc". Review the sections in the center pane. "Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". TPM Manufacturer Information - Specific Version = 2.0 or 1.2 If a TPM is not found or is not ready for use, this is a finding. |
Fix Text (F-69241r2_fix) |
---|
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is configured for use. (The initial release of Windows 10 requires version 2.0, a later release of Windows 10 will add support for version 1.2.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows. |