Why you should not enable Credential Guard on Domain Controllers?
Credential guard protects the credential derivatives like NTLM hash and Kerberos tickets; this TechNet article has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following:
Warning
Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
I would like to share my learnings on why you should not enable Credential Guard on Domain Controllers.
Credential guard protects credentials in LSASS memory; it does not protect credentials stored on disks. On domain controllers, it does not protect credentials that are stored in the active directory SAM database.
In a production environment, you should restrict user access to a domain controller in order to protect the assets on that domain controller. If someone manages to get (unauthorized) access to it, and able to retrieve information in LSASS memory, that means the person already acquired domain admin privilege, and Credential Guard adds no value in that case.
Given that there is no added security benefit, we decided not to support Credential Guard on domain controllers.
Comments
- Anonymous
April 13, 2017
HelloYou would like more information about this Credential Guard on Domain Controllers action for use in Domain Controlers hosted 100% on Azure - Anonymous
April 17, 2017
@Julio,Credential Guard is not supported on domain controllers, whether the domain controller is on-prem or in Azure.When Azure supports Gen 2 VMs, you should consider to enable Credential guard on member servers in Azure.