Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-63599 | WN10-CC-000075 | SV-78089r1_rule | High |
Description |
---|
Credential Guard uses virtualization based security to protect secrets that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software. |
STIG | Date |
---|---|
Windows 10 Security Technical Implementation Guide | 2015-11-30 |
Check Text ( C-64349r2_chk ) |
---|
Confirm Credential Guard is running on domain-joined systems. For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Security Services Running" does not list "Credential Guard", this is finding. The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: LsaCfgFlags Value Type: REG_DWORD Value: 1 A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link. https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx |
Fix Text (F-69529r2_fix) |
---|
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link. https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx |