Windows Server 2019 must be running Credential Guard on domain-joined member servers.

An XCCDF Rule

Description

<VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-205907r857344_rule
Severity: High
References: CCI-000366
Updated: 8 months ago

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration".

A Microsoft article on Credential Guard system requirement can be found at the following link:

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements
Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are:

The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected servers. This is to include a strict password change requirement (60 days or less).
….
Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied.
….
Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected servers. 
….
Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers.
….
Windows Defender rule block credential stealing from LSASS.exe is applied.  This rule can only be applied if Windows Defender is in use.
….
The overall number of vulnerabilities that are unmitigated on the network/servers.

Windows Server 2019 must be running Credential Guard on domain-joined member servers.

Description

Remediation - Manual Procedure