ACTS Blog Selection
We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Enabling Microsoft Defender Credential Guard on Amazon EC2
This blog post is written by Jason Nicholls, Principal Solutions Architect Amazon Web Services.
In this post we show you how to enable
Microsoft Windows stores credential material such as authentication tokens in the
With Credential Guard enabled, the LSA is isolated by Windows virtualization-based security (VBS). VBS is a suite of Windows security mechanisms that use hardware virtualization features to create an isolated compute environment to store user credentials referred to as the isolated LSA. The isolated LSA is inaccessible to the rest of the OS.
Prerequisites
Launch your instance
A list of Windows
aws ec2 describe-images --image-ids ami-0123456789
When UEFI Secure Boot and NitroTPM are enabled for the AMI, “TpmSupport
“: “v2.0
“, and “BootMode”: “uefi
” appear in the output respectively, such as in the following example.
{
"Images": [
{
...
"BootMode": "uefi",
"TpmSupport": "v2.0"
}
]
}
Before launching the AMI verify that the
aws ec2 describe-instance-types --instance-types [INSTANCE_TYPE] --region [REGION]
Where INSTANCE_TYPE is a supported instance type as defined in the
The output of the command should display nitro
as the hypervisor and list uefi
as a supported boot mode. For example:
{
"InstanceTypes": [
{
...
"Hypervisor": "nitro",
...
"SupportedBootModes": [
"legacy-bios",
"uefi"
]
}
}
Use the
Walkthrough:
Enabling Credential Guard with Amazon EC2 Launch an
Launch an Amazon EC2 Windows Instance using a Windows AMI preconfigured to enable UEFI Secure Boot with Microsoft Windows Secure Boot Keys on an
You can use the launch wizard in the
command via the
Now that you know how to create an AMI with UEFI Secure Boot support enabled, let’s create a Windows instance and configure Credential Guard.
Credential Guard can be enabled either by using
Option 1: Enabling Credential Guard via the Windows Registry
Start the Amazon EC2 uefi
“. Windows AMI must be preconfigured to enable UEFI Secure Boot with Microsoft Windows Secure Boot keys as we defined earlier. Once you’re
- Select Start, type
msinfo32.exe , and then select System Information. - Select System Summary on the left.
- Confirm that Virtualization-based security is Not Enabled.
Figure 2 System Information confirming that Credential Guard is Not Enabled
4. Open the
5. Run the following commands from the Windows Command Shell to enable Credential Guard using the Windows Registry:
REG ADD "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v RequirePlatformSecurityFeatures /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\LSA" /v LsaCfgFlags /t REG_DWORD /d 2 /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f
6. Once the changes have been made, reboot the instance.
7. When the instance is back up, reconnect to the instance and select Start, type msinfo32.exe
, and then select System Information.
8. Select System Summary on the left.
9. Note that Virtualisation-based security is now changed to Running, and that Secure Boot and Credential Guard are enabled.
Option 2: Enabling Credential Guard via the DG-Readiness tool
Option 1 requires a remote desktop session to your Windows Instance. Option 2 is run via PowerShell which can either be done in a
Start the Amazon EC2 uefi
“. Windows AMI must be preconfigured to enable UEFI Secure Boot with Microsoft Windows Secure Boot keys as we defined earlier. Once you’re
- Select Start, type
PowerShell , and then click Windows PowerShell.
2. Download the DG-Readiness tool by running the command:
wgethttps://download.microsoft.com/download/B/D/8/BD821B1F-05F2-4A7E-AA03-DF6C4F687B07/dgreadiness_v3.6.zip -outfile dgreadiness.zip
- Uncompress the downloaded zip file using the
Expand-Archive function within PowerShell
Expand-Archive -Path C:\Users\Administrator\dgreadiness.zip -DestinationPath C:\dgreadiness
- Move the DG-Readiness tool to the current folder
copy C:\dgreadiness\dgreadiness_v3.6\DG_Readiness_Tool_v3.6.ps1 .\
- Confirm that Credential Guard is disabled by running the DG-Readiness tool with the -Ready option, as follows:
DG_Readiness_Tool_v3.6.ps1 -Ready
- Enable Credential Guard using the
-Enable -CG
options as follows:
DG_Readiness_Tool_v3.6.ps1 -Enable -CG
- Reboot the instance
- Reconnect to the instance after the reboot and confirm that Credential Guard is now running by running the command:
DG_Readiness_Tool_v3.6.ps1 -Ready
Conclusion
With support for Windows Defender Credential Guard on Amazon EC2 Windows Instances customers can create an isolated compute environment that is inaccessible to the rest of the OS. Credential Guard requires UEFI Secure Boot support. Credential Guard can leverage NitroTPM to further secure credentials.
To learn more about the support of Credential Guard visit