Active Directory · Term

What is Credential Guard?

Credential Guard uses hardware-based virtualization to isolate the secrets in LSASS so that tools like Mimikatz cannot read them, even with administrator rights. Here is what Credential Guard is and what it does and does not stop.

Active Directory · TermAll services
TL;DR

Credential Guard is a Windows security feature that uses virtualization-based security (VBS) to move the secrets normally held in LSASS, NTLM hashes and Kerberos tickets, into an isolated container that even an administrator on the machine cannot read. It blocks the most common credential-dumping path (Mimikatz-style LSASS reads) and blunts Pass-the-Hash and Pass-the-Ticket. It is a strong control, though not a complete answer, so it works best alongside LAPS, Protected Users, and tiering.

By John Dill, Red Team Lead, SecureLayer7Updated

What Credential Guard is

Normally the LSASS process holds the credentials of logged-in users in memory, where an attacker with admin rights can read them. Credential Guard changes that by using virtualization-based security: it runs a small, isolated process (the "isolated LSA") in a hardware-protected container separate from the normal operating system.

The secrets, NTLM hashes and Kerberos ticket-granting material, live inside that container. Even a full administrator on the machine cannot reach into it, so the usual LSASS-reading attacks come back empty.

What it stops, and its limits

Credential Guard breaks the standard credential-theft chain:

  • Mimikatz `sekurlsa::logonpasswords` can no longer read protected hashes from LSASS.
  • Pass-the-Hash and Pass-the-Ticket lose their easy source of harvested material.

Its limits matter too:

  • It protects domain credentials cached in LSASS, not every secret on the machine, and it does not stop keyloggers or attacks that capture credentials as they are typed.
  • It needs the hardware and configuration for VBS, and it does not apply to Domain Controllers in the same way.

So it is a powerful layer, not a silver bullet.

How to deploy it

  • Enable Credential Guard on supported endpoints with the required virtualization-based security settings.
  • Combine with the Protected Users group so the most privileged accounts get extra Kerberos hardening.
  • Pair with LAPS so any credential that is captured does not unlock other machines.
  • Keep Domain Admins off ordinary workstations, the deepest fix, since the best credential is the one never present.
  • Verify it is running, since misconfiguration can silently leave it off.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Kerberos Authentication Overview(Microsoft)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.