Tuesday, March 21, 2017

Deploy Credential Guard

Deploy Credential Guard

Objective

In this lab, you learn how to:
  • Enable Credential Guard using Group Policy.
  • Enable Credential Guard using the Device Guard and Credential Guard hardware readiness tool.
  • Restrict administrative users to use Credential Guard–enabled machines.

Scenario

Pass the hash is a common attack on the Windows operating system. In this attack, attackers steal the logged-on users’ credentials by dumping the process memory from the Local Security Authority (LSA) Windows service, which is responsible for authenticating users as they log into the machine and generating the access tokens for single sign-on, which are used to identify an authenticated user during logons between a client and secured systems or applications. Attackers can use a variety of tools to obtain users’ credentials from the LSA service. Once obtained, attackers then impersonate the stolen user’s account by passing the derived credential hash, which basically represents an authenticated user that Active Directory verified, to other machines. The ultimate goal in this attack is to elevate to a domain administrator level of permissions so that information can be stolen or systems can be damaged.
Several fundamental issues allow the pass-the-hash technique to succeed. First, credentials are available in a region of memory that the machine’s system account can access. Any administrator account on a machine can access the same resources as the system account; therefore, an attacker can access those credentials by using local administrative rights. Second, an attacker can extract and use the credential hashes stored in the LSA service across the network. With someone’s hash, attackers can make any system on the network think that they’re that person.
To mitigate the pass-the-hash attack, the Windows 10 operating system has a new feature called Credential Guard. Credential Guard addresses each of these issues by isolating a portion of the LSA service within a virtualized container. This container has its own region of memory that no account within the Windows 10 operating system can access, including the system account and any administrative user accounts. Because the LSA service still needs credentials to perform its authentication, it brokers authentication requests to and from the isolated container in which the actual credentials reside. In this scenario, the LSA service itself never contains usable credentials for attackers to steal, and the limited information that attackers could access means nothing to other resources on the network.

Virtual Machines

  1. DC
  2. WIN10-01
  3. WIN10-04

Exercise 1 : Verify that the machine meets Credential Guard requirements

Credential Guard requires additional hardware resources to function. For example, virtualization-based security (VBS) requires processors capable of virtualization. For most modern PCs, this isn’t an issue, but to be sure that devices meet the hardware requirements for Credential Guard, Microsoft offers the Device Guard and Credential Guard hardware readiness tool. This exercise familiarizes you with the Device Guard and Credential Guard hardware readiness tool by having you run it. Because this environment is virtualized and the host processor’s virtualization extensions have not been made available to the virtual machines (VMs), the tool will tell you that these machines aren’t capable of running the hardware-based security features required for Credential Guard.
  1. Sign in to WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open Windows PowerShell as an administrator
    (1) Click Start, and then type PowerShell in the search box. (2) In the results, right-click Windows PowerShell, and then click Run as Administrator(3) In the User Account Control dialog box, click Yes.
  3. Go to the DeviceGuard folder
    Type cd C:\Extras\DeviceGuard\DGReadinessTool (or click the Type Text icon to the right, next to the Done button), and press Enter.
    cd C:\Extras\DeviceGuard\DGReadinessTool
  4. Run the hardware readiness tool
    (1) Type .\DG_Readiness_Tool_v2.0.ps1 -Capable (or click the Type Text icon to the right), and press Enter(2) When prompted with the Security warning, type R, and then press Enter.
    .\DG_Readiness_Tool_v2.0.ps1 -Capable
  5. Review the results
    As expected, the results indicate that Credential Guard isn’t supported on this machine. Only configurable code integrity is supported on this VM.
In this exercise, you ran the Device Guard and Credential Guard hardware readiness tool with the -Capable switch to determine which features the WIN10-01 VM supported. In the next exercise, you will use Group Policy to enable Credential Guard on a Windows 10 machine.

Exercise 2 : Enable Credential Guard using Group Policy

You can enable Credential Guard easily by using Group Policy. A Device Guard Administrative Template is available in the Windows Server 2016 operating system to simplify the deployment of Device Guard and Credential Guard. In this exercise, you use Group Policy to enable Credential Guard on a group of machines.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open GPMC
    In Server Manager, click Tools > Group Policy Management.
  3. Create a new GPO
    (1) In the Group Policy Management Console (GPMC), navigate to Forest: corp.contoso.com\Domains\corp.contoso.com. (2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In the Name box, type Enable Credential Guard, and then click OK.
    In this example, you’re linking this policy to the domain, and then using security filtering to scope its effect. Alternatively, you could create a specific organizational unit (OU) for all Device Guard– or Credential Guard–managed devices and link to that OU instead of the domain.
  4. Edit the VBS setting
    (1) In the navigation pane, under corp.contoso.com, right-click the Enable Credential Guard GPO, and then click Edit(2) In the Enable Credential Guard GPO, navigate to Computer Configuration\Policies\Administrative Templates\System\Device Guard. (3) Right-click Turn On Virtualization Based Security, and then click Edit.
    Because VBS is required for Credential Guard, it makes sense that you would have to enable that feature before you can enable Credential Guard.
  5. Configure the VBS setting
    (1) Click Enabled(2) In Credential Guard Configuration, select Enabled without lock(3) Review the Knowledge box. (4) Click OK.
    Notice that there are two Credential Guard options:
    Enabled with UEFI lock. Enabling this feature creates a Unified Extensible Firmware Interface (UEFI) variable for Credential Guard, requiring its enablement for the machine to boot. This does make it impossible for someone to disable Credential Guard, but it also means that administrators must be physically present at the device to disable it.
    Enabled without lock. This option simply enables the registry keys for Credential Guard but does not require its enablement for the device to boot. This is a less secure option because attackers could disable Credential Guard if they have access to the registry.
  6. Close the Group Policy Management Editor
    Close the Group Policy Management Editor to return to the GPMC.
  7. Apply security filtering
    (1) In the navigation pane, under corp.contoso.com, click the Enable Credential Guard policy, and click OK(2) On the Scope tab, under Security Filtering, remove AUTHENTICATED USERS and add the DGEnabledMachines security group.
    Now, you’re ready to filter this GPO to the correct computer security group. Because Credential Guard is often deployed alongside Device Guard, in this example, you’re deploying Credential Guard to the same group of devices that has Device Guard deployed to it.
  8. Close the GPMC
    Close the Group Policy Management Console.
In this example, you enabled Credential Guard on a group of devices called DGEnabledMachines by using Group Policy. You can also configure Credential Guard on a single machine manually within the registry or by using the Device Guard and Credential Guard readiness tool. In the next exercise, you’ll enable Credential Guard by using the Device Guard and Credential Guard readiness tool.

Exercise 3 : Enable Credential Guard by using the readiness tool

You can easily enable Credential Guard by using the Device Guard and Credential Guard readiness tool. In this exercise, you enable Credential Guard registry keys using this tool, but even though the registry keys are present and the features will be enabled, they cannot able because the VM doesn’t have access to the hypervisor’s virtualization extensions, as previously mentioned.
  1. Sign in to WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Execute the hardware readiness tool
    (1) At the PowerShell prompt, type .\DG_Readiness_Tool_v2.0.ps1 -Enable (or click the Type Text icon to the right), and press Enter(2) When prompted with the Security warning, type R, and press Enter.
    .\DG_Readiness_Tool_v2.0.ps1 -Enable
  3. Review the results
    (1) Review the Knowledge box. (2) At the PowerShell prompt, type MSInfo32 to view System Information. (3) Scroll down to the bottom of the System Summary details pane, and view Device Guard Security Services Configured and Device Guard Security Services Running. (4) Close System Information.
    Note that the Credential Guard service shows that it is enabled but not actually running. Even though the script outputs that Credential Guard was successfully enabled, it won’t be able to actually start because the virtualization extensions necessary for VBS aren’t present. To verify that this is the case, look at the system information to check the status of Credential Guard.
  4. Restart WIN10-01
    At the PowerShell prompt, type shutdown -r /t 0 (or click the Type Text icon to the right), and then press Enter to restart the VM.
    shutdown -r /t 0
In this exercise, you enabled Credential Guard by using the Device Guard and Credential Guard hardware readiness tool. You can also enable these registry keys manually. In the next exercise, you’ll create the necessary custom workstation authentication certificate needed to restrict administrative users to use Credential Guard–enabled machines.

Exercise 4 : Create a new workstation authentication certificate

Credential Guard mitigates the pass-the-has attack, which removes an attacker’s ability to perpetually impersonate an administrator account across your network. Note, however, that there are some machines in your organization that might not run Credential Guard. Administrative accounts would be vulnerable when they’re used on those machines. To restrict administrative users to logging on only to those devices that have Credential Guard enabled, you can create a custom workstation authentication certificate that uses a specific issuance policy. Then, you can enroll that certificate on devices that have Credential Guard enabled so that Active Directory can identify its enablement. Finally, you can tie that proof to an authentication policy so that Active Directory can allow or deny the administrative logon.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open the Certification Authority MMC snap-in
    In Server Manager, click Tools > Certification Authority.
  3. Open the Certificate Template Console
    (1) In the Certification Authority Microsoft Management Console (MMC) snap-in, navigate to Contoso Corp CA\Certificate Templates. (2) Right-click the Certificate Templates folder, and then click Manage.
  4. Duplicate workstation authentication
    In the details pane, right-click the Workstation Authentication certificate, and then click Duplicate Template.
  5. Complete the Compatibility tab
    (1) On the Compatibility tab, clear the Show resulting changes check box. (2) Select Windows Server 2012 R2 from the Certification Authority list, and then select Windows 8.1/Windows Server 2012 R2 from the Certificate recipient list.
  6. Complete the General tab
    On the General tab, in Template display name, type CredGuardCert.
  7. Remove Application Policy
    (1) On the Extensions tab, in the Extensions included in this template box, select Application Policies(2) Click Edit(3) In the Edit Application Policies Extension dialog box, select Client Authentication, and then click Remove.
  8. Add New Application Policy
    (1) In the Edit Application Policies Extension dialog box, click Add, then click New(2) In the Name box, type Kerberos Client Auth(3) In the Object Identifier box, Press Ctrl+A, type 1.3.6.1.5.2.3.4 (or click the Type Text icon to the right), and click OK(4) In the Add Application Policy dialog box, select the Kerberos Client Auth policy, and then click OK(5) Click OK again to add the policy.
    1.3.6.1.5.2.3.4
  9. Create Issuance Policy
    (1) On the Extensions tab, in the Extensions included in this template box, click Issuance Policies, and then click Edit(2) In the Edit Issuance Policies Extension box, click Add > New(3) On the New Issuance Policy dialog box, in Name, type Credential Guard Issuance, and then click OK(4) Select the Credential Guard Issuance policy, and then click OK(5) Click OK to finish editing the issuance policies.
  10. Complete the Subject Name tab
    (1) On the Subject Name tab, under Build from the Active Directory information, in the Include this information in alternate subject name section, select User principal name (UPN) and unselect DNS name(2) Then click OK to complete the template.
  11. Close the Certificate Template Console
    Close the Certificate Template Console to return to the Certification Authority MMC snap-in.
  12. Publish the template
    (1) In the Certification Authority MMC snap-in, right-click the Certification Templates folder, point to New, and then click Certificate Template to Issue(2) Select the CredGuardCert you just created, and then click OK.
    Now that you have created the certificate template, you must publish it to the certificate authority–published template store.
  13. Close the Certification Authority MMC snap-in
    Open the Certification Authority MMC snap-in.
In this exercise, you created a custom workstation authentication certificate that you’ll use to identify machines running Credential Guard. You’ll use this certificate in conjunction with an authentication policy to restrict administrative users to using only those machines running this certificate.

Exercise 5 : Link the issuance policy to a universal security group

The issuance policy you created in the previous exercise can be used as an identifiable attribute to add computers to a security group. To establish the connection between the two, Microsoft offers the set-IssuancePolicyToGroupLink.ps1 script. When you link the issuance policy to the security group, you cannot add individual machines to it. For this reason, this script can also create a new group to use.
  1. Open Windows PowerShell as an administrator
    (1) Click Start, and then type PowerShell in the search box. (2) In the results, right-click Windows PowerShell, and then click Run as Administrator(3) In the User Account Control dialog box, click Yes.
  2. Go to CredentialGuard folder
    At the PowerShell prompt, type cd D:\Source$\CredentialGuard (or click the Type Text icon to the right), and press Enter.
    cd D:\Source$\CredentialGuard
  3. View available issuance policies
    (1) At the PowerShell prompt, type .\get-IssuancePolicy.ps1 –LinkedToGroup:All (or click the Type Text icon to the right), and press Enter(2) When prompted with the Security warning, type R, and then press Enter.
    When running this tool, you’ll see the Credential Guard Issuance policy that you created during the last exercise while making the custom workstation authentication certificate. You will use this issuance policy when linking to the universal security group.
    .\get-IssuancePolicy.ps1 –LinkedToGroup:All
  4. Link issuance policy
    (1) At the PowerShell prompt, click the Type Text icon to the right, and press Enter(2) When prompted with the Security warning, type R, and then press Enter(3) When prompted to create the OU, type Y, and then press Enter(4) When prompted to create the group, type Y, and then press Enter. (5) When prompted for the group name, type CredentialGuardCertificateMachines. and then press Enter.
    This command creates a new OU and universal security group, and links it to the Credential Guard Issuance policy.
    .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName "Credential Guard Issuance” –groupOU:"CredentialGuard" –groupName:”CredentialGuardCertificateMachines"
  5. Close Windows PowerShell
    Close the Windows PowerShell window.
In this exercise, you linked a custom issuance policy to a new security group that you’ll use to identify devices that have the Credential Guard certificate enrolled. In the next exercise, you’ll create a new domain controller certificate capable of handling compound authentication requests.

Exercise 6 : Add a domain controller certificate

To support compound authentication on the DC VM, you must add a new domain controller certificate. Once created, you’ll export this certificate, and then import it into the Enterprise Trust certificate store on the Windows 10 client VMs.
  1. Open MMC
    (1) Click Start, type MMC.exe, and press Enter(2) In the User Account Control dialog box, click Yes.
  2. Add the Certificates snap-in
    (1) In MMC, click File > Add/Remove Snap-in(2) Select Certificates, click Add, select Computer account, and then click Next(3) Select Local Computer, and then click Finish. (4) Click OK to complete the wizard.
  3. Enroll new Domain Controller certificate
    (1) Right-click the Certificates – (Local Computer)\Personal\Certificates folder, point to All Tasks, and then click Request New Certificate(2) Click Next, and then click Next again. (3) Select the Kerberos Authentication certificate template, and then click Enroll(4) Click Finish.
  4. Export domain controller certificate
    (1) Right-click the Kerberos Authentication certificate issued to DC.corp.contoso.com (the second certificate), point to All Tasks, and then click Export(2) Click Next, select No, do not export the private key, and then click Next(4) Select Base-64 encoded X.509 (.CER), and then click Next(5) Click Browse, and then save the certificate to D:\Source$\ExportedCerts\DC Certificate.cer. (6) Click Next, and then click Finish(7) In the Certificate Export Wizard dialog box, click OK.
    You’ll need to add the new certificate to the enterprise root certificate store on clients that will be using the Credential Guard workstation authentication certificate. To do this, export the certificate so that it can be imported on WIN10-01. There are two domain controller certificates, so be sure to export the one with Kerberos Authentication as an intended purpose.
  5. Close the Certificates MMC snap-in
    Close the Certificates MMC snap-in.
In this exercise, you added a domain controller certificate that supports smart card authorization to the KDC, which meets the same requirements needed for Kerberos armoring and compound authentication. In the next exercise, you’ll add a Credential Guard certificate to WIN10-01, along with the certificate that you exported in this exercise.

Exercise 7 : Enroll the client certificate for Credential Guard

Now that you have created a new workstation authentication certificate to identify Credential Guard–enabled devices and you have exported the new domain controller certificate, you can add these certificates to WIN10-01. You start by enrolling the custom workstation authentication certificate you created in the previous exercise. Then, you enroll the certificate with Credential Guard. This step is important because Credential Guard is the entity that holds the certificate keys. That way, if Credential Guard were ever disabled, the key would be lost and administrators would not be able to log in to the device because the workstation certificate would not be validated.
  1. Sign in to WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Copy exported certificates
    In File Explorer, copy the DC Certificate.cer from \\DC\Source$\ExportedCerts\ to C:\Extras.
    \\DC\Source$\ExportedCerts\
  3. Open MMC
    (1) Click Start, type MMC.exe, and press Enter(3) In the User Account Control dialog box, click Yes.
  4. Add Certificates snap-in
    (1) In MMC, click File > Add/Remove Snap-in(2) Select Certificates, click Add, select Computer Account, and then click Next(3) Select Local Computer, and then click Finish(4) Click OK to complete the wizard.
  5. Enroll Credential Guard certificate
    (1) Right-click the Certificates – (Local Computer)\Personal folder, point to All Tasks, and then click Request New Certificate(2) Click Next, and then click Next again. (3) Select the CredGuardCert certificate template, and then click Enroll(4) Click Finish.
  6. Import domain controller certificates
    (1) In MMC, right-click the Certificates – (Local Computer)\Enterprise Trust folder, point to All Tasks, and then click Import(2) Click Next. (2) In the File name box, type C:\Extras\DC Certificate.cer (or click the Type Text icon to the right). (3) Click Next, and then click Next again. (4) Click Finish to complete the import. (5) In the Certificate Import Wizard dialog box, click OK.
    C:\Extras\DC Certificate.cer
  7. Close the Certificates MMC snap-in
    Close the Certificates MMC snap-in.
  8. Enroll the client certificate
    (1) Right-click Start, and then click Command Prompt (Admin)(2) In the User Account Control box, click Yes(3) At the Command Prompt, type CertReq -EnrollCredGuardCert CredGuardCert (or click the Type Text icon to the right), and press Enter.
    After you run this command, you would typically be able to remove the machine certificate because the certificate’s key would be stored in the virtualized component of Credential Guard. Because the Credential Guard services aren’t running on the VM, however, the certificate you enrolled manually will have to stay to simulate the desired effect.
    CertReq -EnrollCredGuardCert CredGuardCert
In this exercise, you added the necessary certificates on WIN10-01 for it to be able to prove to DC that it’s running Credential Guard. In the next exercise, you’ll configure the necessary computer policies for this certificate to be used properly.
Click Continue to proceed to the next exercise.

Exercise 8 : Configure Kerberos armoring on DC

Kerberos armoring and compound authentication are needed to allow devices to authenticate by using their workstation certificates. Supporting these settings won’t negatively affect those devices that don’t have the Credential Guard certificate but rather tell the devices to use compound authentication first, when available. The first step in enabling Kerberos armoring and compound authentication is to configure the KDC Group Policy settings for them and enforce them on the domain controller.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open GPMC
    In Server Manager, click Tools > Group Policy Management.
  3. Create a new GPO
    (1) In the GPMC, navigate to Forest: corp.contoso.com\Domains\corp.contoso.com. (2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here(3) In Name, type KDC Kerberos Armoring, and then click OK.
  4. Edit the KDC support setting
    (1) In the navigation pane, right-click the KDC Kerberos Armoring GPO, and then click Edit(2) In the KDC Kerberos Armoring GPO, navigate to Computer Configuration\Policies\Administrative Templates\System\KDC. (3) Right-click KDC support for claims, compound authentication and Kerberos armoring, and then click Edit(4) Click Enable, select the Supported option, and then click OK.
  5. Edit the compound authentication setting
    (1) In Computer Configuration\Policies\Administrative Templates\System\KDC, right-click Request compound authentication, and then click Edit(2) Click Enabled, and then click OK.
  6. Close the Group Policy Management Editor
    Close the Group Policy Management Editor to return to GPMC.
    Now, you’re ready to filter this GPO to the correct computer security group.
  7. Apply security filtering
    (1) In GPMC, click the KDC Kerberos Armoring policy, and click OK(2) On the Scope tab, under Security Filtering, remove AUTHENTICATED USERS, and then add the DC domain controller.
    When adding DC, be sure to select the Computer object type or you’ll receive an error saying that the object cannot be found.
You have now configured the domain controller to be compatible with Kerberos armoring and accept compound authentication from devices when they log on to the network. In the next exercise, you’ll configure the client policies that will make them compatible with Kerberos armoring and attempt to use compound authentication first.

Exercise 9 : Configure Kerberos armoring on clients

In this exercise, you enable designated Windows 10 clients to be able to use compound authentication and Kerberos armoring. Also, you specify that the devices attempt to use compound authentication first so that the domain controller will recognize the Credential Guard certificate you deployed earlier.
  1. Create a new GPO
    (1) In GPMC, navigate to Forest: corp.contoso.com\Domains\corp.contoso.com. (2) Right-click corp.contoso.com, and then click Create a GPO in this domain, and Link it here. (3) In Name, type Windows Client Kerberos Armoring, and then click OK.
  2. Edit the client support setting
    (1) In the navigation pane, right-click the Windows Client Kerberos Armoring GPO, and then click Edit(2) In the Windows Client Kerberos Armoring GPO, navigate to Computer Configuration\Policies\Administrative Templates\System\Kerberos. (3) Right-click Kerberos client support for claims, compound authentication and Kerberos armoring, and then click Edit(4) Click Enabled, and then click OK.
  3. Edit the compound authentication setting
    (1) In Computer Configuration\Policies\Administrative Templates\System\Kerberos, right-click Always send compound authentication first, and then click Edit(2) Click Enabled, and then click OK.
  4. Close the Group Policy Management Editor
    Close the Group Policy Management Editor to return to GPMC.
  5. Apply security filtering
    (1) In the navigation pane, click the Windows Client Kerberos Armoring policy, and click OK(2) On the Scope tab, under Security Filtering, remove AUTHENTICATED USERS, and then add the WIN10-01 and WIN10-04 computers.
    When adding WIN10-01 and WIN10-04, be sure to select the Computer object type or you’ll receive an error saying that the object cannot be found.
  6. Close the GPMC
    Close the Group Policy Management Console.
In this exercise, you enabled all domain controllers to be compatible with compound authentication and Kerberos armoring. Also, you specified that they should attempt to use compound authentication first when available. In the next exercise, you’ll ensure that WIN10-01 has received the policy to prepare for the authentication policy.

Exercise 10 : Validate the policy and restart the VM

In this exercise, you update the Machine policy on the WIN10-01 VM, and then restart the VM. This step is required after enrolling the custom workstation authentication certificate with Credential Guard. Then, you’ll be ready to create an authentication policy restricting administrative users to logging in to those machines with Credential Guard enabled.
  1. Sign in to the WIN10-01
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open a Command Prompt window on WIN10-01
    (1) Right-click Start, and then click Command Prompt (Admin)(2) In the User Account Control box, click Yes.
  3. Update Group Policy
    (1) At the command prompt, type gpupdate /force (or click the Type Text icon to the right). (2) Wait for the update to finish.
    When you update policy, you will get an error when applying one setting. That is because enabling Credential Guard via Group Policy requires that secure boot be enabled, which is not possible on this VM. You can safely ignore this error for this lab.
    gpupdate /force
  4. Check Group Policy results
    (1) When the policies have been updated, type gpresult /h results.html /f (or click the Type Text icon to the right). (2) When the command finishes, type results.html and press Enter to view the results in Microsoft Edge. (3) Review the Knowledge box.
    In the results.html file, in the Applied GPOs section, you should see the Windows Client Kerberos Armoring GPO that you created and deployed earlier.
    gpresult /h results.html /f
  5. Restart WIN10-01
    At the Command Prompt, type shutdown -r /t 0 (or click the Type Text icon to the right, and press Enter to restart the VM.
    Now that you have verified that WIN10-01 received the policy, it’s time to restart the VM.
    shutdown -r /t 0
In this lab, you updated Group Policy on WIN10-01 so that you could verify that the Group Policy settings were received. In the next exercise, you’ll complete the process of restricting administrative users to machines with Credential Guard enabled by creating an Active Directory authentication policy.

Exercise 11 : Create authentication policy

Authentication policies allow administrators to control conditional logon to domain resources. In this example, you create an authentication policy to restrict administrative users to those machines on which Credential Guard is enabled. This is discovered by recognizing that a client has the Credential Guard certificate you deployed earlier. Those clients that do have that certificate are then added to the CredentialGuardCertificateMachines universal security group you created in a previous exercise. The authentication policy that you create then verifies that the device on which the administrative user is logging in is in that security group, and then allows the login.
  1. Sign in to DC
    (1) Switch to DC by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to DC as Mark Hassall (CORP\Mark) with a password of Passw0rd.
  2. Open AD Administrative Center
    In Server Manager, click Tools > Active Directory Administrative Center.
  3. Create a new authentication policy
    (1) In the navigation pane, click Authentication > Authentication Policies(2) In the task pane, click New > Authentication Policy.
  4. Name the Policy
    (1) In Display name, type Credential Guard Administrator Device Restriction(2) Leave the Enforce policy restrictions option selected.
    Notice that to the right of the Display Name box is an option to put this policy in audit mode rather than enforce it. When an authentication policy is in audit mode, exceptions are logged only, and the restriction isn’t applied. When enforced, the policy must be complied with or the authentication won’t be successful.
  5. Select restricted accounts
    (1) In the Accounts section, click Add(2) In the Select Users, Computers or Service Accounts box, type Peter, and then click OK.
    In this example, you’re adding Peter Houston, who is the domain administrator whose login capability you want to limit to Credential Guard–enabled devices.
  6. Configure user sign-on condition
    (1) In the User Sign On section, click Edit(2) In the Edit Access Control Condition box, click Add a Condition, and then click Add Items(3) In the Select Computer or Group box, type CredentialGuardCertificateMachines, and then click OK(4) Click OK to close the Edit Access Control Conditions dialog box. (5) Click OK to create the new authentication policy.
In this exercise, you created an Active Directory authentication policy to only allow Mark to log in to devices with the Credential Guard certificate identifying that Credential Guard is running. In the next exercises, you’ll test this policy on a device with the certificate and one without it.

Exercise 12 : Test authentication policy

Now that the authentication policy has been enabled, you test logging in to a machine that has the Credential Guard certificate and one that doesn’t. When logging in to the machine with the certificate, the login should be successful. When logging in to the machine without the certificate, the login should fail, with a message letting users know that they aren’t allowed to log in to that machine.
  1. Sign in to WIN10-01 as Lori
    (1) Switch to WIN10-01 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-01 as Lori Penor (CORP\Lori) with a password of Passw0rd(3) Review the Knowledge box.
    Lori is a standard user. You can see that a standard user can log in to the Credential Guard–enabled VM.
  2. Sign out of WIN10-01
    Sign out of WIN10-01.
  3. Sign in to WIN10-01 as Peter
    (1) Sign in to WIN10-01 as Peter Houston (CORP\Peter) with a password of Passw0rd(2) Review the Knowledge box.
    Signing in to WIN10-01 should be successful because the authentication policy was satisfied with the custom workstation authentication certificate you enrolled in the previous exercise.
  4. Sign in to WIN10-04 as Peter
    (1) Switch to WIN10-04 by clicking the Switch to Machine icon to the right, next to the Done button. (2) Sign in to WIN10-04 as Peter Houston (CORP\Peter) with a password of Passw0rd(3) Review the Knowledge box.
    Signing in to this machine should fail because the authentication is denied for lack of a Credential Guard certificate and this user is restricted to only use Credential Guard-enabled devices.
  5. Sign in to WIN10-04 as Lori
    (1) Sign in to WIN10-04 as Lori Penor (CORP\Lori) with a password of Passw0rd(2) Review the Knowledge box.
    Signing in to this machine should succeed because Lori is a standard user who isn’t restricted by the authentication policy.
  6. Sign out of WIN10-04
    SIgn out of WIN10-04.
  7. Sign in to WIN10-04 as Mark
    (1) Sign in to WIN10-04 as Mark Hassall (CORP\Mark) with a password of Passw0rd(2) Review the Knowledge box.
    Signing in to this machine should succeed because Mark is an administrative user that does not have the authentication policy applied to him.
In this lab, you configured Credential Guard on a device two different ways: by using Group Policy and by using the Device Guard and Credential Guard readiness tool. You then restricted administrative users to devices running Credential Guard by deploying a custom workstation authentication certificates. Then, you linked the issuance policy to a custom universal security group so that you could identify which devices had the certificate. Finally, you deployed and tested an Active Directory authentication policy that blocked an administrative user from signing in to the device.

Click Continue to finish and close this lab.

No comments: