Implementing Credential Guard using Device Guard Readiness Tool

Credential Guard is a security feature that has been available in Windows 10 since Build 1511.  Enabling it on a Windows 10 laptop requires that the system disk is formatted with GPT.  You must also have secure boot turned on, and you are supposed to have a Trusted Platform Module (TPM 2.0).  I have read in Microsoft’s docs that you can use Credential Guard without a TPM, but then the keys are not secured in the TPM.  Not sure if this is still the case now in the latest Windows Builds, because they do say that a TPM is required.  First you should download the Device Guard and Credential Guard Readiness Kit from Microsoft’s download center.  Next, I will show you the commands you need to run in powershell to use the Readiness Kit.

The Device Guard and Credential Guard Readiness Kit includes a PowerShell script that can be used to check if the device is capable of running credential guard, check if Credential Guard is already running or enabled, and it also does the same for Device Guard and Hyper-V Code Integrity policies.

Make sure you download the new version3.0 of the toolkit. If you may have downloaded the older (version 2.1) script, make sure you go to the link above and re-download the tool.

Okay so you downloaded the tool, next step is to unblock the zip file and unpack the zip file into a directory. Personally, I like to use D:\DistributionShare\DeviceGuardReadinessToolv3.0 . The next thing to do is right click on PowerShell or the PowerShell_ISE and run PowerShell ISE as Administrator. Once you get the ISE opened up you should changed to the directory where you unzipped the Device Guard/Credential Guard Readiness Tool to. Set-Location D:\DistributionShare\DeviceGuardReadinessToolv3
Next we want to run the following script to run the Device Guard Readiness Tool and check if the device is capable of running Credential Guard, Device Guard, or HyperVisor Code Integrity: .\DG_Readiness_Tool_v3.0.ps1 -Capable -DG -CG -HVCI
Now you are going to have to reboot the machine.

After the reboot Open up the PowerShell ISE as Administrator again, and run the script again, or run the script with the switches
-Enable -CG -DG -HVCI, or whichever of the three you want to enable. You can also use the switch -Ready if you have want to see if any of the three security features are already enabled and running.
You should see some immediate feedback in the console, but you are going to want to find the folder C:\DGLOGS and in there will be a log file that will tell you if your computer is capable of enabling Credential Guard, Device Guard, and Hypervisor Code Integrity.


Group Policies to Enable Device Guard and Credential Guard

There are a bunch of group policies that are going to be necessary to enable credential guard and device guard in an Active Directory Domain environment. For the domain controllers, you are going to want to enable the following policies:

DOMAIN CONTROLLERS: AdministrativeTemplates/ComputerConfiguration/System/KDC : The necessary settings include >
KDC support for claims, compound authentication and Kerberos armoring: (This needs to be enabled on all domain controllers in order for Credential Guard to work.)

Also, Request Compound Authentication is necessary for Credential Guard so that as devices authenticate with the Domain Controllers, Kerberos compound authentication is requested. Enable this policy as well.

Next we need to go to the following location in the GPMC.msc (Group Policy Management Console) or GPEDIT.msc ( Group Policy Editor for local policies only):
AdministrativeTemplates/ComputerConfiguration/System/DeviceGuard: Turn on Virtualization Based Security -Enabled, for the options on the bottom, the best choices for testing are:
Select Platform Level: SECURE BOOT
VirtualizationBasesSecurityCodeIntegrity:Enabled without Lock
CredentialGuardConfiguration: Enabled without Lock
Now on a policy that is applied to the domain computers,servers, and devices that are compatible with credential guard, you will enable the following policies:

1. Always send compound authentication first: Enabled
2. Kerberos client support for claims, compound authentication and Kerberos armoring: Enabled
3. Support compound authentication: Enabled – Support authorization with client device information:Automatic

After enabling these policies, you should be on your way to supporting Credential Guard, once you figure out how to use Code Integrity Policies, and enable the policy Deploy Code Integrity Policy (ComputerConfiguration/AdministrativeTemplates/System/DeviceGuard) then you can deploy Device Guard, however this policy is not necessary to use Device Guard. (There are some registry settings that can be set and then you can create code integrity policies and move them to C:\Windows\system32\CodeIntegrity to enable Device Guard.

Microsoft also offers a tool called the Device Guard and Credential Guard Readiness Tool which includes a PowerShell script to help enable Credential Guard, Device Guard, and Hypervisor Code Integrity.

Device Guard and Code Integrity Policies

Windows 10 Enterprise, Education, and Windows Server 2016 include Device Guard.  Device Guard is kind of like AppLocker, but is a more advanced form of whitelisting.  You create a Code Integrity policy that tells the OS what software and device drivers are allowed to run.  All of the software that you allow must be either digitally signed, or you can create a FileCatalog with PowerShell that tells the OS exactly what files are allowed to run, and if any software attempts to execute that is not listed in the Code Integrity Policy, it will be blocked.  That is basically how it works, but i am going to now go through what it takes to enable device guard, and to create policies, and also how to audit first to make sure you aren’t going to block yourself from running any essential applications or services.  Device Guard is a pretty complicated subject, and if you are not sure how to implement it in an enterprise or corporate environment, you should hire a security consultant to help you out.

Here’s some code to get you started with a simple Code Integrity policy
# To create a Base Code Integrity Policy from a Golden Computer:
# First we set up the variables CIPolicyPath, InitialCIPolicy and CIPolicyBin



# Now we will create a New CodeIntegrity Policy
New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt

<# Notes: When you specify the -UserPEs parameter (to include user mode executables in the scan), rule option 0 Enabled:UMCI is automatically added to the code integrity policy. In contrast, if you do not specify -UserPEs, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option 0 Enabled:UMCI, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. You can add the -Fallback parameter to catch any applications not discovered using the primary file rule level specified by the -Level parameter. For more information about file rule level options, see Code integrity file rule levels in “Deploy code integrity policies: policy rules and file rules.” To specify that the code integrity policy scan only a specific drive, include the -ScanPath parameter followed by a path. Without this parameter, the entire system is scanned. The preceding example includes 3> CIPolicylog.txt, which redirects warning messages to a text file, CIPolicylog.txt.
# Use ConvertFrom-CIPolicy to convert the XML to binary format!
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

# After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.

# NOTE: Note We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see Merge code integrity policies.

After the computer is scanned, there should be a deviceguard.bin file created on your desktop. In order to deploy this policy, you need to move this file to the C:\Windows\system32\CodeIntegrity directory, and renamed to SIPolicy.p7b.
You then need to restart the computer to enter Device Guard Audit mode. Deploy your code integrity policy

Restart the reference system for the code integrity policy to take effect.

Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed code integrity policy will be logged in the Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational event log.

Setting up Docker on windows server 2016

docker logo

Although Docker is available in Windows Server 2016, it is not immediately obvious how to set it up and start running containers on a Windows Server 2016 server. The first step is to enable the Windows Feature Containers with the PowerShell command Install-WindowsFeature -Name Containers -Verbose . After enabling the Containers feature, installing Docker requires executing the following PowerShell commands:

Install-PackageProvider -Name NuGet -MinimumVersion -Force
Install-Module -Name DockerMsftProvider -Force
Install-Package -Name docker -ProviderName DockerMsftProvider -Force
# Open firewall port 2375
netsh advfirewall firewall add rule name="docker engine" dir=in action=allow protocol=TCP localport=2375

# Configure Docker daemon to listen on both pipe and TCP (replaces docker --register-service invocation above)
Stop-Service docker
dockerd --unregister-service
dockerd -H npipe:// -H --register-service
Start-Service docker

Optionally you can also install the PowerShell Docker Dev module with the following commands:

Register-PSRepository -Name DockerPS-Dev -SourceLocation

Install-Module Docker -Repository DockerPS-Dev -Scope CurrentUser

To be sure that Docker is installed run the following commands in PowerShell or Command Prompt:
docker version
docker info

Now you can download the microsoft windowsservercore or nanoserver images and begin creating containers.

docker pull microsoft/windowsservercore
docker pull microsoft/nanoserver

Use the Nano Server Image Builder to build your Nano Server vhdx files for Hyper-V

Nano Server image builder Create New Image

Nano Server Image Builder Select Scenario page

The Nano Server Image Builder is a simple GUI tool that helps create a Virtual Hard Disk of a Nano Server image for a Virtual Machine, or it can create a bootable Usb drive for a physical installation. You can download the tool from the Microsoft Download Center.

Image Builder page two

NanoServer Page Two

Page 3

Nano Server Image Builder page 3

The first thing you want to do before you start creating a nano server image, is to mount a Windows Server 2016 ISO. This will cause a drive letter to be created with the Windows Server 2016 Image mounted, which is required for the application because the Nano Server media folder needs to be available for the application. This application is basically a front end for the PowerShell script New-NanoServerImage. Now go through the wizard and be sure to create a name for the Virtual Hard Disk, by entering Name.vhdx. If you are going to want to join this nano server to a domain before starting it, you will have to provision a djoin.exe blob. When the wizard completes and you create the NanoServer vhd or vhdx file, now you need to create a new virtual machine and use this vhdx as the hard drive for the new Hyper-V virtual machine.

Wizard Page 4

Nano Server Image Builder Wizard Page 4

Nano Server Image Builder pg 5

NanoServer Image Builder Page 5

Image Builder Page 6

Nano Server Image Builder Page 6

Nano Server Image Builder page 7

Nano server image builder page 7

Page 8 on nano server image builder

Nano server image builder page 8

Nano Server Image Builder page 9

Page 9 of the Nano Server Image Builder

Advanced Configuration

Nano Server Image Builder Page 10 – Advanced Configuration

Add Servicing Packages

Page 11 – Add Servicing Packages

Add Scripts and Binaries

Page 12 – Add Scripts and Binaries

Developer Mode

Turn on Debugging Mode and Developer mode

Final Page of Wizard

Final Page of Nano Server Image Builder

Windows Server 2016 – upgrade from tp5 will preserve your files (not supported)

Docker requires windows 10 will not install on windows server 2016

Docker requires windows 10 will not install on windows server 2016

So I am now running Windows Server 2016 on a bunch of physical and virtual servers and have learned that You can upgrade in place from technical preview 5, you will not lose your files. It is not a supported upgrade path, but it works even though the installer says that you will not keep your files, I have installed it over the top of a few virtual machines and no files were deleted in the upgrade. I had a few problems early on, but they were fixed in updates that were installed in the first few days that Windows Server 2016 was available. They had to do with wireless network adapters and some other drivers, but now all of my drivers are installed correctly. I installed the Full server desktop experience version and have been trying to get docker to work, because they said that Docker was integrated with Windows Server 2016, however Docker for Windows only works on Windows 10, it will not install on Windows Server 2016. I remember hearing something about having to run Server Core a few months ago, but I’m not sure if that’s the reason why I can’t get Docker to install on the full server experience. I will be figuring this out as soon as I get some more time. There is one thing that bothers me though, and it is that all of the Windows 10 services are installed on here but Microsoft Edge and the Windows Store is not available, so why have all the extra services that only are necessary for windows store applications. The Downloaded Maps service is unnecessary because there is no Maps app. I would recommend that they either get rid of the extra services that are not needed without having access to Edge and Windows Store apps, or allow the Windows Store apps to be installed since the infrastructure is already in the Server, instead of having all this extra cruft there. I will be installing Server core next, but I hate not being able to get at certain settings that are not available in the server core version.

Windows Server 2016 Finally Available. Here’s the links to evaluate it:

Windows Server 2016 Evaluate Windows Server 2016” Evaluation Version of Windows Server 2016 and Nano Server VHD

After downloading Windows Server 2016, which is build number 14393.0.160715.1616.RS1-Release (Redstone 1 Release), you can download an 18 page PDF guide called “The Ultimate Guide to Windows Server 2016”

Microsoft Ignite is underway in Atlanta Georgia, and you can watch the keynotes and sessions all week at the website which is sure to have some interesting sessions all week long from September 26-September 30.