Recently when working with a customer during an SCCM Windows 10 pilot, the customer reported issues with the Wi-Fi connection. The customer suspected the newly developed SCCM task sequence was at fault. Their previous SCCM Windows 10 task sequence was working fine. In short, the issue was not related to the new SCCM task sequence. Rather, the fact Credential Guard was enabled with the NEW task sequence was the “issue”. This blog post “WiFi MS-CHAPv2 Connection Limitations Using Credential Guard” highlights the findings and why Credential Guard should remain ENABLED and UAT testing should include security feature testing.
The “Problem“
Using an SCCM Windows 10 1809 task sequence, Windows Credential Guard was enabled via task sequence steps. After the OS deployment, the Wi-FI connection did not allow the use of a “Windows User Account“. The Wi-Fi enterprise setup allows less secure connections such as PEAP/EAP MS-CHAPv2. By design, Windows Credential Guard was doing its job – blocking less secure connections. Once Credential Guard was DISABLED, the Wi-Fi connection worked and Windows AD User Account credentials were allowed.
Using Microsoft’s “Device Guard Readiness Tool” PowerShell script Credential Guard can be enabled or disabled as needed. This is useful during UAT application testing.
Credential Guard Limitations
As noted in Microsoft’s article passwords are still weak.
“If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2 to certificate-based authentication such as PEAP-TLS or EAP-TLS.”
For more details about what to remember when enabling Credential Guard, see the article here.
At a high-level here are important things to consider and WHY Credential Guard is a critical security countermeasure for common attacks such as Wanna Cry, Petya and other Ransomware.
- Wi-Fi / VPN
- Less secure connections such as MSCHAPv2 should be replaced with certificate-based authentication such as “PEAP/EAP TLS”.
- Saved Windows Credential Protected
- Generic usernames and passwords are NOT protected since the web application may require a cleartext password.
- 3rd Party Security Tools
- Some 3rd party security tools might not be compatible with Windows Credential Guard.
- NTLMv1 and SMBv1 are insecure and every effort should be made to DISABLE the use of these authentication methods and
procotols .
UAT Testing of Credential Guard
Credential Guard uses Windows 10 Virtualized Based Security to isolate Credential Manager secrets. In other words, Credential Guard helps protect your login credentials from credential theft attacks such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications such as domain credentials.
It’s understandable that customers might be tempted to DISABLE Windows Credential Guard as knee jerk reaction if a Business Unit experiences issues.
Instead of DISABLING Credential Guard, the better approach would be to thoroughly test Credential Guard as part of the WaaS rollout of Windows 10. When gathering details about UAT apps, be sure to include security tools and features. In the application catalog, track the UAT testing results of Credential Guard too as part of the functional testing.
The Lesson
Don’t become the next victim of Ransomware as we have seen with the City of Baltimore, City of Atlanta, Hospital Systems and more. Windows 10 Credential Guard is one security countermeasure that should be implemented in organizations to slow down the bad guys/girls. Use “Device Guard and Credential Guard hardware readiness tool” PowerShell module to enable/disable Credential Guard during UAT testing.
References
Device Guard and Credential Guard hardware readiness tool – PowerShell script to check readiness state of Credential Guard. Used to Disable or enable Credential Guard as a standalone process for testing or production use.
Protect derived domain credentials with Windows Defender Credential Guard
Considerations when using Windows Defender Credential Guard
/ / Filed Under: Credential Guard, SecureBoot, Security, Windows 10 /