Share via

Question on Credential Guard

Mikhail Firsov 1,881 Reputation points
2021-06-10T11:51:01.137+00:00

Hello!

The theory:

By enabling Windows Defender Credential Guard, the following features and solutions are provided:

Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
Virtualization-based security Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
Better protection against advanced persistent threats When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked.

The practice (after enabling CG):

1) The domain user account does not display neither NTLM hash (it displays the encrypted content) nor Kerberos password:

104210-q3.png

2) The domain computer account does display its NTLM hash but the Kerberos password field is not empty as for the user account but instead contains the encrypted password:
104236-q2.png

As far as I see the documentation above says nothing about differences between user and computer accounts so

Q1: Why does the computer account still have its NTLM hash visible?

Q2: Is this difference in displaying NTLM and Kerberos hashes/passwords by design for CG?

Thank you in advance,
Michael

Windows for business | Windows Server | Devices and deployment | Configure application groups
Community Center | Not monitored
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-11T09:20:03.173+00:00

    Hello @Mikhail Firsov ,

    Thank you for posting here.

    Q&A currently supports the products listed over here https://learn.microsoft.com/en-us/answers/products (more to be added later on).

    Windows Defender Credential Guard is not within the scope of the MICROSOFT Q&A platform for the time being.

    We can search many tags and add the tags, but for some topics, there is no technical engineer from Microsoft team to provide support.

    Maybe some experts from Community Expert or MVP can provide some help to you in this thread.

    Thank you for your understanding and support.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Mikhail Firsov 1,881 Reputation points
    2021-06-11T09:34:01.177+00:00

    Hello DaisyZhou-MSFT,

    "Windows Defender Credential Guard is not within the scope of the MICROSOFT Q&A platform for the time being." - ??? Credential Guard is just one of the features of Windows Server and Windows Server is listed on the page you mentioned... weird ...

    0 comments
  3. Anonymous
    2021-06-14T09:11:26.15+00:00

    Hello @Mikhail Firsov ,

    Thank you for your reply.

    It may need to collect logs for further analysis and troubleshooting your request.

    We hope some experts from Community Expert or MVP can provide some help to you in this thread.

    If no one responds to this post in a long time, I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

    The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

    https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thank you for your understanding and support.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Bagitman 596 Reputation points
    2022-01-06T14:39:54.093+00:00

    Hi. I don't know the answer, but let me take an educated guess. To use mimikatz and find these keys, you need already local admin or system permissions and admins may impersonate the system account at any time. So why protect the ntlm hash? You already are system.

    So the thinking continues: the attacker may use the system (=computer-) account now. But may he use it tomorrow? The Kerberos ticket expires tomorrow, so its usage is limited to 10 hours by default. Its ntml hash however could be passed (not cracked, as the pw behind it is random and 120 chars long), so why not protect it? Is the action of passing it limited to the originating computer? I would think so and that would explain why.

    0 comments
  5. Mikhail Firsov 1,881 Reputation points
    2022-01-12T14:11:18.87+00:00

    Hi Bagitman-1090,

    Thank you for your suggestion!

    "So why protect the ntlm hash? You already are system" - hm... frankly speaking I doubt that some technique may work or not work depending on the risk associated with some action ... I mean do you think that Windows thinks "I will be hiding a user's NTLM hash because it's too risky to disclose it but will not bother itself with pointless work hiding its own computer's account hash ?"

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.