question

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 asked MikhailFirsov-1277 answered

Question on Credential Guard

Hello!

The theory:

By enabling Windows Defender Credential Guard, the following features and solutions are provided:

Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked.

The practice (after enabling CG):

1) The domain user account does not display neither NTLM hash (it displays the encrypted content) nor Kerberos password:

104210-q3.png

2) The domain computer account does display its NTLM hash but the Kerberos password field is not empty as for the user account but instead contains the encrypted password:
104236-q2.png

As far as I see the documentation above says nothing about differences between user and computer accounts so

Q1: Why does the computer account still have its NTLM hash visible?

Q2: Is this difference in displaying NTLM and Kerberos hashes/passwords by design for CG?

Thank you in advance,
Michael

not-supportedwindows-server-security
q3.png (36.0 KiB)
q2.png (46.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @MikhailFirsov-1277,

Thank you for posting here.

Q&A currently supports the products listed over here https://docs.microsoft.com/en-us/answers/products (more to be added later on).

Windows Defender Credential Guard is not within the scope of the MICROSOFT Q&A platform for the time being.

We can search many tags and add the tags, but for some topics, there is no technical engineer from Microsoft team to provide support.

Maybe some experts from Community Expert or MVP can provide some help to you in this thread.

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered MikhailFirsov-1277 edited

Hello DaisyZhou-MSFT,

"Windows Defender Credential Guard is not within the scope of the MICROSOFT Q&A platform for the time being." - ??? Credential Guard is just one of the features of Windows Server and Windows Server is listed on the page you mentioned... weird ...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @MikhailFirsov-1277,

Thank you for your reply.

It may need to collect logs for further analysis and troubleshooting your request.

We hope some experts from Community Expert or MVP can provide some help to you in this thread.

If no one responds to this post in a long time, I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bagitman-1090 avatar image
0 Votes"
Bagitman-1090 answered Bagitman-1090 edited

Hi. I don't know the answer, but let me take an educated guess. To use mimikatz and find these keys, you need already local admin or system permissions and admins may impersonate the system account at any time. So why protect the ntlm hash? You already are system.

So the thinking continues: the attacker may use the system (=computer-) account now. But may he use it tomorrow? The Kerberos ticket expires tomorrow, so its usage is limited to 10 hours by default. Its ntml hash however could be passed (not cracked, as the pw behind it is random and 120 chars long), so why not protect it? Is the action of passing it limited to the originating computer? I would think so and that would explain why.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikhailFirsov-1277 avatar image
0 Votes"
MikhailFirsov-1277 answered

Hi Bagitman-1090,

Thank you for your suggestion!

"So why protect the ntlm hash? You already are system" - hm... frankly speaking I doubt that some technique may work or not work depending on the risk associated with some action ... I mean do you think that Windows thinks "I will be hiding a user's NTLM hash because it's too risky to disclose it but will not bother itself with pointless work hiding its own computer's account hash ?"


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.