L2 BIO 12.01.02 ISO A.12.6.1 CIS Windows - Credential Guard

Intune: Schakel In Credential Guard

πŸ“… 2025-10-30
β€’
⏱️ 5 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Credential Guard = virtualization-based security (VBS) voor credential protection - NTLM hashes + Kerberos tickets isolated in secure VM (hardware-based isolation).

Aanbeveling
IMPLEMENT
Risico zonder
Critical
Risk Score
9/10
Implementatie
20u (tech: 10u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11 Enterprise

Pass-the-hash attacks = #1 lateral movement technique: Attack: Compromise workstation β†’ dump LSASS memory (Mimikatz) β†’ extract NTLM hashes β†’ pass-the-hash to other systems (NO password needed). WITHOUT Credential Guard: LSASS runs in normal Windows (memory dumpable), Mimikatz: Extract credentials in SECONDS. WITH Credential Guard: LSASS isolated: Credentials in VBS secure kernel (hardware-isolated VM), Memory dump: Encrypted credentials only (useless), Mimikatz: FAILS (cannot access secure kernel). Result: Pass-the-hash attacks BLOCKED.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Credential Guard architecture: VBS (Virtualization-Based Security): Hyper-V hypervisor creates isolated VM, LSA Isolated: LSASS credentials in secure kernel VM, Hardware requirements: TPM 2.0, UEFI Secure Boot, Virtualization extensions (Intel VT-x/AMD-V), SLAT (Second Level Address Translation). Protection: NTLM hashes, Kerberos tickets, Credential Manager credentials. Compatibility: Some legacy apps incompatible (NTLM SSO breaks).

Vereisten

  1. Windows 10 Enterprise 1607+ of Windows 11 Enterprise
  2. TPM 2.0
  3. UEFI firmware (not BIOS)
  4. Secure Boot enabled
  5. Virtualization extensions (Intel VT-x/AMD-V)
  6. SLAT support
  7. Intune subscription
  8. Testing: Legacy app compatibility (2-4 weken pilot)

Implementatie

Intune Settings Catalog: Device Guard β†’ Schakel in Virtualization Based Security: Enabled β†’ Platform Security Level: Secure Boot and DMA Protection β†’ Credential Guard Configuration: Enabled with UEFI lock (prevents disable). Test eerst: Pilot group (IT team) β†’ Monitor app compatibility β†’ Gradual rollout.

Compliance

Microsoft Security Baseline, CIS Windows L2, BIO 12.01, ISO 27001 A.12.6.1, Zero Trust.

Monitoring

Gebruik PowerShell-script credential-guard-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script credential-guard-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Credential Guard Enabled .DESCRIPTION CIS - Windows Defender Credential Guard enabled. .NOTES Filename: credential-guard.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: Credential Guard|Expected: Enabled #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"; $RegName = "EnableVirtualizationBasedSecurity"; $ExpectedValue = 1; $RegPath2 = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"; $RegName2 = "LsaCfgFlags"; $ExpectedValue2 = 1 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "cred-guard.ps1"; PolicyName = "Credential Guard"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Set-ItemProperty -Path $RegPath2 -Name $RegName2 -Value 0 -Type DWord } try { $v1 = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; $v2 = Get-ItemProperty -Path $RegPath2 -Name $RegName2 -ErrorAction SilentlyContinue; if ($v1.$RegName -eq $ExpectedValue -and $v2.$RegName2 -eq $ExpectedValue2) { $r.IsCompliant = $true; $r.Details += "Credential Guard enabled" }else { $r.Details += "Credential Guard not fully enabled" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; if (-not(Test-Path $RegPath2)) { New-Item -Path $RegPath2 -Force | Out-Null }; Set-ItemProperty -Path $RegPath2 -Name $RegName2 -Value $ExpectedValue2 -Type DWord -Force; Write-Host "Credential Guard enabled - REBOOT REQUIRED" -ForegroundColor Yellow } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Set-ItemProperty -Path $RegPath2 -Name $RegName2 -Value 0 -Type DWord } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Critical: KRITIEK: Pass-the-hash = #1 lateral movement (Mimikatz extracts credentials β†’ full network compromise).

Management Samenvatting

Schakel in Credential Guard (VBS). Hardware-isolated credential storage. Pass-the-hash defense. Requires: Windows Enterprise, TPM 2.0, UEFI, virtualization. Test compatibility (pilot). Implementatie: 10-20 uur.