For checking Part 1 of Windows 10 Security, please check the below link
Pass the Hash was really one of the hottest attacks in 2015, No major attack happened last year without having a flavor of PTH either on local accounts or domain accounts by stealing the Hash and passing it to other services………etc
Windows 10 introduced a new feature which is Credential Guard or Virtual Secure Mode (VSM). The main idea is utilizing Microsoft hyper-V by enabling Hyper-V on the Windows 10 machine and having a special secure kernel mode based on the virtualization technology to store critical process as the Local Security Authority (Your passwords). This new feature provides a promise to finally get rid of Pass the Hash attack and stealing passwords/Hashes. This secure Kernel mode has no GUI or network access and it communicates with the OS in a new format that cannot be replayed or passed (at least for the time being)
How to Enable Credential Guard
- First of all we need to add the Hyper-V from Control Panel – Programs and Features – Turn windows Features on or off.
- Secure Boot need to be enabled.
- This feature will work only on Windows 10 Enterprise.
- Machine should be domain joined as this will protect domain accounts, its not for local accounts. For local accounts you should have other protection mechanisms as Microsoft LAPS
- VSM or Credential Guard can be enabled using Group Policy (Updated group policy for Windows 10 copied to the Domain Controller Central store), In my case i am enabling it manually on my Laptop using Local Group Policy Editor as shown below (Computer configuration – Administrative Templates – System – Device Guard – Turn on Virtualization based Security)
- Enable the setting, I picked Enabled without Lock so it can be controlled/Disabled later using Group policy. Detailed description is shown in Help section.
- Start the special VSM process by editing the boot Configuration data as shown below from an elevated command prompt