Menene Credential Guard da kuma yadda za a duba idan an kunna shi

Kare takardun shaida a cikin Windows ya zama muhimmin aiki ga kowace kamfani da ke ɗaukar tsaron yanar gizo da muhimmanci. Duk lokacin da mai amfani ya shiga, ana samar da takardun shaida kuma ana adana su. sirrin tabbatarwa mai matuƙar muhimmanci (hashes, tikiti, alamu, da sauransu) waɗanda, idan sun faɗa hannun wani mai hari, suna ba su damar yawo a cikin hanyar sadarwa kamar dai su masu amfani ne na halal. Wannan shine ainihin inda Credential Guard ke shiga.

Windows Defender Credential Guard wani kayan aiki ne na tsaro wanda ke amfani da fasahar zamani don kare bayanan sirri daga barazanar yanar gizo. Tsaron da ya dogara da Virtualization (VBS) don ware waɗannan sirrin da kuma hana tsarin aiki na "al'ada" ko malware mai manyan gata shiga gare su. Duk da cewa ba abu ne mai sauƙi ba kuma ba ya rufe dukkan nau'ikan takaddun shaida ko duk hanyoyin kai hari, yana rage tasirin dabarun gargajiya sosai kamar Pass-the-Hash da kuma Pass-the-Ticketda kuma kayan aiki kamar Mimikatz a cikin yanayi da yawa.

Menene ainihin Windows Defender Credential Guard?

Credential Guard wani fasali ne na Windows wanda aka tsara don Kare takardun shaidar yanki da sauran sirrin tabbatarwa Wannan fasaha tana kare kai daga hare-haren da ke ƙoƙarin karanta su kai tsaye daga ƙwaƙwalwar tsarin. Ta fara bayyana a cikin Windows 10 Enterprise da Windows Server 2016, kuma har yanzu tana nan a cikin sigar Windows 11 da Windows Server ta baya.

A takaice dai, Credential Guard ta dogara ne akan VBS don aiwatar da wani ɓangare na tsarin tsaro a cikin muhallin da aka ware ta hanyar hypervisor, daban da babban tsarin aiki. Maimakon sirrin da ke zaune kai tsaye a cikin tunawa da tsarin Hukumar Tsaron Gida (LSA) na gargajiya (lsass.exe), ana adana su a cikin tsari mai kariya kuma mai zaman kansa, yawanci ana sarrafa su ta hanyar LsaIso.exe, wanda za a iya samun damar shiga ta hanyar lambar da ta fi dacewa kuma amintacce.

Wannan rabuwar tana da nufin hana malware wanda ya sami damar mai gudanarwa daga kawai zubar da ƙwaƙwalwar LSSASS don cire hashes na NTLM, tikiti na Kerberos, ko takardun shaidar da aka adana a cikin Manajan Takardar Shaida. Hanyar ba wai canza ka'idojin tantancewa ba ce, amma don don tabbatar da inda da kuma yadda ake adana bayanan sirri a cikin ƙwaƙwalwar ajiya.

Sirri da ayyuka da Jami'in Kula da Sirri ke karewa

Siffar tana kare nau'ikan takardun shaida daban-daban waɗanda a da suka kasance manyan abubuwan da maharan ke hari. Daga cikin sirrin da Credential Guard ke kiyayewa akwai, galibi, waɗanda suka shafi:

• NTLMAna amfani da hash ɗin kalmar sirri ta NTLM don tantancewa.
• KerberosMusamman, Tikitin Ba da Tikiti (TGT) wanda ke ba ku damar neman wasu tikiti na sabis.
• Manajan Takardar Shaida: takardun shaidar yanki da aikace-aikace da ayyuka suka adana.
• Shiga na gida da na nesa waɗanda suka dogara da takardun shaidar yanki.

A cikin tsoffin sigogin Windows, waɗannan sirrin sun kasance a cikin ƙwaƙwalwar aikin. LSASS ta hanyar da za a iya samu ga mai kai hari mai manyan gata. Tare da an kunna Credential Guard, wani tsari na LSA da aka keɓe yana gudana wanda baya fallasa waɗannan sirrin kai tsaye ga kayan aikin da ke ƙoƙarin karanta ƙwaƙwalwar tsarin aiki na yau da kullun.

Yadda Tsaron da ke Tushen Kama-da-wane (VBS) da Yanayin Tsaron Kama-da-wane (VSM) ke Aiki

Mabuɗin Credential Guard shine VBS, wata fasaha da ke amfani da hypervisor na Windows don ƙirƙirar muhallin aiwatarwa da aka ware a cikin wannan na'ura ta zahiri. A cikin wannan yanayin, wanda aka fi sani da Yanayin Tsaro na Virtual (VSM), ayyukan tsaro suna gudana waɗanda ke sarrafa sirrin tantancewa.

Lokacin da Credential Guard ke aiki, ana adana sirrin a cikin ƙwaƙwalwar ajiya a cikin VSM ba a cikin sararin ƙwaƙwalwar ajiyar tsarin aiki na yau da kullunMai lura da bayanai (hypervisor) yana tabbatar da cewa lambar sirri mai matuƙar muhimmanci da aka tabbatar ce kawai za ta iya shiga gare su. Ta wannan hanyar, ko da wani mahari ya sami damar yin amfani da tsarin aiki da haƙƙin mai gudanarwa, damar karanta waɗannan sirrin kai tsaye za ta ragu sosai.

A kan kayan aikin zamani waɗanda suka haɗa da TPM 2.0 mai jituwa, ana iya ɓoye bayanai masu ɗorewa na VSM tare da Maɓallin VSM na farkoAna adana wannan maɓallin kuma ana kare shi ta hanyar TPM da tushen hanyoyin aminci a matakin firmware. Sakamakon haka, koda wani ya yi ƙoƙarin yin ɓarna ga tsarin boot ko kuma ya yi kwafin faifai, Ba za ku iya samun damar shiga sirrin da aka kare ba a wajen muhallin da aka tabbatar..

Yana da mahimmanci a lura cewa Credential Guard ba ya adana bayanai kamar waɗannan a kan faifai: Hash na NTLM ko TGTAna sake sabunta waɗannan a kowane shiga kuma ana ɓacewa tsakanin sake kunnawa, don haka ba sa dogara kai tsaye akan maɓallin VSM ko TPM don su kasance cikin aminci bayan rufewa.

Iyakoki da takardun shaidar da Credential Guard ba ya karewa

Duk da fa'idodinsa, Credential Guard yana da bayyanannun iyakoki da ake buƙatar fahimta Domin gujewa wuce gona da iri. Akwai takardun shaida da hanyoyin tantancewa waɗanda suka faɗi ƙasa da iyakokin kariyar da take da su ko kuma waɗanda kawai ba sa aiki iri ɗaya lokacin da fasalin ke aiki.

A gefe guda, idan aka kunna Credential Guard, wasu ka'idoji na gado kamar NTLMv1, MS-CHAPv2, Digest da CredSSP Ba za su iya amfani da takardun shaidar shiga daga zaman shiga da aka riga aka shiga ba. Wannan yana nufin cewa shiga-shiga ɗaya (SSO) tare da waɗannan ka'idoji zai daina aiki. Aikace-aikacen da suka dogara da su na iya buƙatar sake neman sunan mai amfani da kalmar sirri ko kuma amfani da takardun shaidar da aka adana a cikin shagon Windows. wanda a cikin waɗannan yanayi ba a kare shi ta hanyar Credential Guard ba.

Bugu da ƙari, akwai hanyoyin gudanar da takardun shaida waɗanda suka fita daga wannan aikin gaba ɗaya, kamar:

• Manhajar ɓangare na uku wanda ke adana kalmomin shiga ko alamun kuɗi a waje da tsarin Windows na yau da kullun.
• Asusun gida da asusun Microsoft, waɗanda ba sa jin daɗin irin wannan keɓancewa kamar takardun shaidar yanki.
• Bayanan bayanai na Active Directory An shirya shi akan masu kula da yankin Windows Server. Credential Guard ba ya kare bayanai kai tsaye daga Active Directory ko bututun shigar da takardun shaida a cikin ayyuka kamar Remote Desktop Gateway.
• Masu amfani da maɓalli da sauran na'urorin ɗaukar bayanai: idan maharin ya rubuta bugun maɓalli, zai iya satar kalmar sirri kafin ma a adana ta a cikin LSSASS ko sandbox.
• Harin jiki zuwa ga kayan aiki (misali, damar yin amfani da ƙwaƙwalwar ajiya mai zafi ko karanta faifai ta amfani da dabarun ci gaba).

Ya kamata kuma a lura cewa Credential Guard ba ya hana maharin da ya riga ya mallaki malware a na'urar samun damar shiga. Yi amfani da gata na ingantattun takaddun shaida an samo su ta wasu hanyoyi. Misali, idan mai gudanarwa ya shiga cikin wata na'ura da aka riga aka lalata, maharin zai iya amfani da lokacin da yake aiki don yin ayyuka tare da izininsa, koda kuwa ba zai iya cire hash ɗin NTLM daga yanayin da aka sanya a cikin akwatin yashi ba.

A gefe guda kuma, bayanan shiga da aka adana Shiga Windows (wanda galibi ake kira "shigar da aka cached") kuma ba ya cikin rukunin takardun shaidar da za a iya sake amfani da su akan wasu kwamfutoci. Ana adana su a cikin rajista na gida kuma ana amfani da su ne kawai don tabbatar da shiga lokacin da yankin bai samuwa ba. Waɗannan ana gudanar da su ta hanyar manufar tsaro "Shigarwa Mai Hulɗa: Yawan shiga da aka yi a baya don adanawa" da Ba a ba su kariya ta musamman daga Credential Guard ba.

A ƙarshe, Takardun sabis na Kerberos Ba a kare su da Credential Guard ba, kodayake TGT yana da kariya. Kuma idan Credential Guard yana aiki, Kerberos ba zai ba da izinin wakilci mara iyaka ko ɓoye DES ba, ko don takaddun shaidar da aka fara ko don takaddun shaidar da aka nema ko aka adana.

Fa'idodi daga hare-haren satar takardun shaida

Babban manufar Credential Guard ita ce dakatar da hare-haren "sata da sake amfani da takardun shaida", musamman:

• Pass-the-Hash: sake amfani da hashes ɗin NTLM da aka sace don tabbatarwa akan wasu tsarin.
• Wuce-da-Tikiti: rashin amfani da tikitin Kerberos (TGT ko sabis) da aka samu daga injin da aka yi wa lahani.

Ta hanyar ware sirri a cikin VSM da kuma iyakance wanda zai iya samun damar shiga, yawancin dabarun da ke amfani da kayan aiki kamar Mimikatz an toshe su. zubar da ƙwaƙwalwar LSSASSA cikin yanayi ba tare da Credential Guard ba, Mimikatz zai iya cire hashes na NTLM da tikiti na Kerberos ba tare da wata matsala ba da zarar maharin ya sami damar mai gudanarwa. Tare da an kunna Credential Guard, tsarin LSA da aka keɓe yana hana waɗannan sirrin kasancewa a cikin ƙwaƙwalwar ajiya wanda za a iya samu daga tsarin aiki na yau da kullun.

Duk da haka, yana da mahimmanci a fahimci cewa Credential Guard ba abin da za a iya yi wa illa ba ne. Mimikatz da makamantansu har yanzu suna iya, misali, kama takardun shaidar yayin da ake shigar da suIdan tsarin ya riga ya lalace kuma mai amfani da ke da gata ya shiga daga baya, marubucin Mimikatz ya yi gargaɗin cewa idan maharin ya sami ikon mallakar ƙarshen shafin kafin mai gudanarwa ya shigar da takardun shaidarsa, har yanzu akwai hanyoyin satar su. Bugu da ƙari, Credential Guard ba ya kare daga amfani da takardun shaidar ta hanyar mugunta ta... masu amfani na ciki masu halalIdan wani ya ba da izinin shiga wani abu, wannan fasaha ba za ta hana shi kwafin bayanai masu mahimmanci ba.

An kunna ta tsohuwa a cikin Windows 11 da Windows Server

A cikin sabbin nau'ikan tsarin, Microsoft ta ci gaba da tafiya a wani mataki kuma ta ba da damar haɗakar VBS da Mai Kula da Takardun Shaida akan wasu na'urori. Farawa da Windows 11, sigar 22H2, da Windows Server 2025, kwamfutocin da suka cika mafi ƙarancin buƙatu suna kunna waɗannan fasalulluka ta atomatik.

Ana yin saitin masana'anta akai-akai ba tare da makullin UEFI baWannan yana nufin cewa masu gudanarwa za su iya kashe Credential Guard daga nesa idan sun ga yana da mahimmanci, misali, saboda rashin jituwa mai mahimmanci da aikace-aikacen da aka riga aka yi. Lokacin da aka kunna Credential Guard, VBS kuma yana kunnawa ta atomatik.

Yana da mahimmanci a san cewa idan wata ƙungiya ta riga ta sami Credential Guard an kashe shi a fili Kafin haɓakawa zuwa sigar Windows inda fasalin ke aiki ta hanyar tsoho, ana kiyaye yanayin "nakasa" bayan haɓakawa. Tsarin bayyane koyaushe yana fifita halayen tsoho bayan sake kunnawa.

Bukatun hardware, firmware, da software

Domin Credential Guard ta samar da ingantaccen kariya, dole ne na'urar ta bi ƙa'idodin mafi ƙarancin buƙatun hardware, firmware, da tsarin aikiDa zarar kayan aikin sun yi zamani kuma sun cika, to, mafi girman matakin kariya da za a iya cimmawa.

Manyan buƙatun sun haɗa da:

• CPU mai bit 64, tare da Tallafin kirkirar kayan aiki.
• Tsaro bisa tsarin kama-da-wane an kunna (VBS).
• Amintaccen Boot an kunna kuma an saita.

Bugu da ƙari, kodayake ba koyaushe dole ba ne, ana ba da shawarar sosai a sami:

• TPM (Tsarin Dandalin Amintacce) sigar 1.2 ko 2.0, ko dai ta sirri ko kuma ta firmware, don haɗa kariya da kayan aiki da kuma adana maɓallan farko cikin aminci.
• Makullin UEFIwanda ke hana mai hari kashe Credential Guard kawai ta hanyar gyara shigarwar Registry ko canje-canjen ƙananan matakan tsari.

Ƙungiyoyin da suka cika waɗannan ƙa'idodi na asali za su iya cancanta ƙarin ƙimar tsaro da kuma matakan kariya mafi girma daga barazanar da ke ƙoƙarin amfani da sarkar taya ko damar shiga ƙwaƙwalwar ajiya kai tsaye.

Amfani da Credential Guard akan injunan kama-da-wane na Hyper-V

Credential Guard kuma na iya kare sirrin da ke cikin injunan kama-da-wane da ke gudana akan Hyper-V, kamar yadda yake yi akan kayan aikin zahiri. Lokacin da aka kunna shi a cikin VM, sirrin yana keɓewa daga hare-haren da suka samo asali daga a cikin wannan injin kama-da-wane.

Duk da haka, akwai muhimman abubuwa: Jami'in Tsaron Sirri ba ya bayar da kariya daga hare-haren gata masu girma da aka kai daga mai masaukin baki cewa VM ɗin yana gudana. Wato, mai gudanar da masaukin baki ko mai kai hari wanda ke sarrafa tsarin zahiri na ƙasa har yanzu yana da zaɓuɓɓukan sarrafawa.

Domin Credential Guard ya yi aiki akan injin kama-da-wane na Hyper-V, aƙalla ana buƙatar waɗannan masu zuwa:

• Mai masaukin Hyper-V tare da IOMMU (na'urar sarrafa ƙwaƙwalwar ajiya ta shigarwa/fitarwa) mai dacewa.
• Injin kama-da-wane na Tsara ta 2, wanda ke goyan bayan ingantaccen boot ɗin UEFI da ƙarin haɓakawa da ake buƙata.

Daga mai masaukin baki, har ma yana yiwuwa a kashe Credential Guard don takamaiman VM ta amfani da PowerShell, tare da umarni makamancin haka Saita-VMSecurity -Tsarin Tsaro na VirtualizationOptOut $true, yana nuna sunan na'urar kama-da-wane.

Lasisin Windows da bugu masu jituwa

Credential Guard ba ya samuwa a duk bugu na Windows. Microsoft ta ajiye shi don nau'ikan da suka fi mayar da hankali kan kasuwanci da ilimi, ba tare da wasu bugu na ƙwararru na yau da kullun ba.

Dangane da jituwa ta hanyar bugu na Windows, a takaice dai, waɗannan sun shafi:

• Kamfanin Windows- Yana tallafawa Guard ɗin Shaida.
• Ilimin Windows: mai jituwa.
• Windows Pro da kuma Windows Pro Education/SE: kar a haɗa da tallafin kai tsaye ga Credential Guard.

Dangane da haƙƙin lasisi, aiki yana da alaƙa da biyan kuɗi na kasuwanci da matakin ilimi. Daga cikin lasisin da aka bayar Ee, suna ba da haƙƙin amfani Mai tsaron takardar shaida ya haɗa da:

• Windows Enterprise E3
• Windows Enterprise E5
• Ilimin Windows A3
• Ilimin Windows A5

Sauran lasisi, kamar Windows Pro ko Pro Education Standard, ba su haɗa da waɗannan haƙƙoƙi ta hanyar tsoho ba. Don ƙarin bayani kan abin da kowace lasisi ta ƙunsa da kuma yanayin da ta ƙunsa, ana ba da shawarar a sake duba takaddun hukuma. Lasisi na Windows.

Tasiri kan aikace-aikacen tantancewa da ladabi

Kunna Credential Guard yana da sakamako kai tsaye a wasu ladabi na tantancewa na gado da wasu ayyuka na Kerberos da NTLM, waɗanda aikace-aikacen da yawa na gargajiya har yanzu suna amfani da su. Kafin a fara amfani da su da yawa, yana da mahimmanci a gano buƙatu da kuma gwada jituwa.

Aikace-aikacen za su daina aiki daidai idan suna buƙatar ɗayan waɗannan damar:

• Tallafi ga Ɓoyewar DES a cikin Kerberos.
• Wakilan Kerberos ba tare da ƙuntatawa ba.
• Cire daga Kerberos TGT daga tsarin.
• Amfani da NTLMv1 a matsayin yarjejeniyar tabbatarwa.

Wasu yanayi ba lallai bane su karya aikace-aikacen ba, amma suna yin hakan ƙara haɗarin fallasa na takardun shaida idan har yanzu ana amfani da su:

• Tabbatarwa ta ɓoye wadda ke kama ko sake amfani da takardun shaidar rubutu mara rubutu.
• Wakiltar takardun shaida ba tare da isasshen kariya ba.
• Yarjejeniyoyi kamar su MS-CHAPv2 y Kariyar Kariya ta SSPwanda zai iya tilasta wa mai amfani ya shigar da takardun shaidar da aka adana a cikin hanyar da ba ta da tsaro sosai.

Wasu ayyuka ko manhajoji da ke yunƙurin yin hakan haɗa kai tsaye tsarin da aka ware LSAIso.exe Suna iya haifar da matsalolin aiki ko rashin aiki idan ba a tsara su don yin aiki da wannan sabon tsarin ba. Akasin haka, ayyukan da suka dogara da Kerberos ta hanyar tsoho, kamar hannun jarin SMB ko haɗin Desktop na Nesa da aka tsara da kyau, Ya kamata su ci gaba da aiki yadda ya kamata lokacin da aka kunna Credential Guard.

Yadda ake kunna Credential Guard a cikin yanayin kamfanoni

Shawarar tsaro ita ce a kunna Credential Guard. kafin haɗa na'ura zuwa yankin ko kuma kafin mai amfani da yankin ya shiga a karon farko, don kada a taɓa adana sirrin ba tare da ƙarin kariya ba. Idan an kunna shi bayan an yi amfani da na'urar na ɗan lokaci, wasu takardun shaida na iya kasancewa an riga an yi musu lahani.

Akwai hanyoyi da dama da za a iya amfani da su wajen kunna Credential Guard a kan rundunar na'urorin Windows:

• Microsoft Intune/MDM.
• Tsarin Manufofin Rukuni (GPO).
• Tsarin Rijista Kai Tsaye.

Saita ta amfani da manufofin Microsoft Intune da MDM

A cikin yanayin da Intune ke sarrafawa, ana iya amfani da tsare-tsare ta hanyar bayanan martaba na tsaro ko manufofin musamman. Tsarin aiki na yau da kullun ya haɗa da ƙirƙirar manufar kariyar asusu ko makamancin haka da saita sigogi don Kunna VBS kuma ayyana tsarin Credential Guard.

Lokacin amfani da CSP (Mai Ba da Sabis na Saita) kamar DeviceGuard, maɓallan da suka dace sun haɗa da:

• Sunan tsari: "Kunna tsaro bisa tsarin kama-da-wane". OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurityNau'in bayanai: lamba. Darajar: 1 don taimakawa.
• Sunan tsari: "Saitin Tsaron Takardu". OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlagsNau'in bayanai: lamba. Matsakaicin ƙima:
  • 1: an kunna shi tare da makullin UEFI.
  • 2: an kunna shi ba tare da toshewa ba.

Da zarar an yi amfani da manufar ga rukunin na'urori ko masu amfani da ake so, ya zama dole sake kunna kwamfutar don haka mai lura da yanayin VSM ya fara aiki daidai kuma mai kula da Credential Guard ya fara aiki.

Kunnawa ta amfani da Manufofin Rukuni (GPO)

A cikin yankunan da ke tushen Active Directory, hanyar da aka saba amfani da ita don saita Credential Guard ita ce ta hanyar Editan Manufofin RukuniAna iya saita shi duka a cikin Editan Manufofin Gida na kowace kwamfuta da kuma a cikin GPOs da aka haɗa da OUs ko kuma dukkan yankin.

Hanyar daidaitawa ta yau da kullun ita ce:

Tsarin na'ura → Samfuran Gudanarwa → Tsarin → Kare Na'ura

A cikin wannan hanyar, kuna buƙatar gyara manufar "Kunna tsaro bisa ga kama-da-wane" kuma saita matsayinsa zuwa An kunnaA cikin jerin abubuwan da aka zaɓa na "Saitunan Tsaron Sirri", zaku iya zaɓar tsakanin "An kunna tare da kulle UEFI" ko "An kunna ba tare da kulle ba," ya danganta da matakin ƙuntatawa da ake so. Bayan sabunta manufofi da sake kunnawa, kariyar za ta yi aiki.

Saiti mai zurfi ta hanyar Registry

Ga takamaiman yanayi ko sarrafa kansa, yana yiwuwa a saita Credential Guard ta hanyar sarrafa kai tsaye Rijistar WindowsMaɓallan da suka fi dacewa sune:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  Maɓalli: EnableVirtualizationBasedSecurity (REG_DWORD). Darajar: 1 don kunna VBS.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  Maɓalli: RequirePlatformSecurityFeatures (REG_DWORD). Ƙimar da aka saba amfani da ita:
  • 1 don amfani kawai a cikin amintaccen taya.
  • 3 don amfani da kariyar boot mai tsaro da DMA.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  Maɓalli: LsaCfgFlags (REG_DWORD). Ƙima:
  • 1Kunna Credential Guard tare da makullin UEFI.
  • 2Kunna Tsaron Sirri ba tare da kullewa ba.

Bayan amfani da waɗannan canje-canje, kuna buƙatar sake kunna injin don sabon tsari ya fara aiki da kuma yanayin kariya don farawa.

Yadda za a duba ko Credential Guard yana aiki da gaske

Kuskure da aka saba gani shine a mayar da hankali kawai kan ko tsarin ya dace ko a'a LsaIso.exe Ya bayyana a cikin Task Manager, yana nuna cewa Credential Guard yana aiki. Microsoft ba ta ba da shawarar wannan hanyar a matsayin tabbataccen bincike ba, domin yana iya yiwuwa ba daidai yake nuna ainihin yanayin kariya ba.

Madadin haka, akwai wasu hanyoyi guda uku masu inganci don duba matsayin Credential Guard:

• Kayan aiki Bayanin tsarin (msinfo32.exe).
• Kwamandojin PowerShell.
• Bitar abubuwan da suka faru a cikin Mai Duba Taro.

Tare da Bayanin Tsarin, kawai gudanar da shi msinfo32.exeZaɓi "Takaitaccen Tsarin" sannan ka duba filin "Gudanar da Ayyukan Tsaro na Tushen Virtualization". Idan an jera "Credential Guard" a cikin ayyukan da ke aiki, yana nufin cewa Aikin yana aiki a zahiri..

Ta hanyar PowerShell, zaka iya gudanar da umarnin:

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

Ƙimar da aka dawo za ta nuna matsayin aiwatarwa:

• 0: An kashe Credential Guard (ba ya aiki).
• 1An kunna Credential Guard kuma yana aiki.

Bugu da ƙari, ana iya yin bita kan abubuwan da suka shafi abubuwan da suka faru a cikin Mai Duba Taro, ta hanyar tacewa ta Windows Logs\System saboda asalin abubuwan da suka faru WinInitBinciken waɗannan abubuwan da suka faru lokaci-lokaci, tare da tambayoyin WMI ko binciken tsaro, yana taimakawa wajen tabbatar da lafiya da kuma yanayin aiwatar da shi a duk faɗin rundunar.

Zaɓuɓɓuka don kashe Credential Guard

Ko da yake ba abu ne mai kyau ba daga mahangar tsaro, wani lokacin yana da mahimmanci Kashe Mai Tsaron Takardar Shaida saboda matsalolin dacewa da aikace-aikace masu mahimmanci ko ka'idojin gado waɗanda ba za a iya maye gurbinsu ba a cikin ɗan gajeren lokaci.

Tsarin kashe fasalin ya bambanta dangane da yadda aka fara kunna shi. Gabaɗaya, ya kamata ku:

• Mayar da tsarin da Intune, GPO, ko Registry suka yi amfani da shi, ta hanyar mayar da ƙimar VBS da LsaCfgFlags zuwa yanayin nakasassu.
• Sake kunna na'urar don dakatar da loda abubuwan tsaro na tushen kama-da-wane.

Idan an saita Credential Guard tare da Makullin UEFIAbubuwa sun ɗan ƙara rikitarwa saboda wani ɓangare na yanayin yana cikin masu canjin EFI a cikin firmware. A wannan yanayin, ban da soke tsarin a cikin Windows, yana da mahimmanci a gudanar da jerin umarni tare da bcdedit daga wani babban umarni na umarni don loda kayan aikin daidaitawa na musamman (SecConfig.efi) a lokacin farawa.

Gudun yawanci yana kama da haka:

• Shigar da ɓangaren EFI na ɗan lokaci ta amfani da mountvol kuma ka kwafi shi SecConfig.efi.
• Ƙirƙiri shigarwar caja ta tsarin tare da bcdedit /createyana nuni zuwa SecConfig.efi.
• Saita jerin tawaga na ɗan lokaci don aiwatar da wannan shigarwar a sake kunnawa na gaba sannan a wuce shi zaɓi KASHE-LSA-ISO.
• Sake kunna na'urar kuma, idan saƙon da aka riga aka fara kunnawa ya bayyana, Tabbatar da canjin saitin UEFI don haka kashewar ta ci gaba.

Ba tare da wannan tabbacin ba, firmware ɗin ba zai yi rikodin canjin ba kuma Credential Guard zai ci gaba da kasancewa a kulle a matakin UEFI, koda kuwa an gyara saitin a cikin tsarin aiki.

A cikin injunan kama-da-wane, mai masaukin Hyper-V zai iya kashe amfani da VBS da Credential Guard don takamaiman VM ta amfani da umarnin PowerShell Saita-VMSecurity tare da zaɓin warewa mai dacewa.

A wasu muhalli, an lura cewa bayan wasu sabuntawa na Windows, kwamfutocin da suka yi amfani da tantancewar Remote Desktop tare da SSO ko hanyoyin da suka gabata suna fara nuna saƙonnin da ke nuna cewa takardun shaidar ba su da inganci kumaA cikin waɗannan lokuta da yawa, mafita ta wucin gadi da aka yi amfani da ita ita ce a kashe Credential Guard daga manufar rukuni na gida (GPEDIT.msc), a kewaya zuwa Tsarin Kwamfuta → Samfuran Gudanarwa → Tsarin → Na'urar Tsaro → "Kunna tsaro bisa ga kama-da-wane" sannan a yiwa zaɓin saitin Credential Guard alama a matsayin "An kashe".

Credential Guard ta kafa kanta a matsayin muhimmin sashi na dabarun kare asali a cikin Windows, musamman a cikin mahalli tare da manyan Active Directory da asusun masu fa'ida masu mahimmanci. VBS, TPM, da warewar ƙwaƙwalwaWannan fasaha tana sa rayuwa ta fi wahala ga masu kai hari da ke ƙoƙarin motsawa a gefe ta hanyar satar bayanai daga ƙwaƙwalwar ƙarshen bayanai da sabar, muddin an ƙara musu kyawawan ayyuka, kayan aikin sa ido, da kuma sarrafa aikace-aikacen da ka'idoji na baya.