Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Windows Defender Credential Guard and PEAP MS-CHAPv2

Key Points
  • Windows Credential Guard is a new feature that improves security, but causes user experience issues with older, more vulnerable protocols.
  • Credential Guard doesnt allow you to save PEAP credentials because of the vulnerabilities surrounding NTLM and MSCHAPv2.
  • This either prevents authentication, or forces users to manually enter credentials for every authentication, so Microsoft recommends moving to EAP-TLS.

In today’s evolving world of cybersecurity, protecting data and user credentials is of utmost importance as it is the biggest threat to an organization’s security. Microsoft has implemented two security features to address this concern: Windows Defender Credential Guard and the network security protocol PEAP MS-CHAPv2. These added security features are designed to enhance credential-based security within enterprise networks. 

However, their implementation can present challenges for organizations with network environments. Enterprises enabling credential guard and PEAP-MSCHAPv2 may face issues with the Wi-Fi, VPN endpoints, and wired network connection not allowing a “Windows User Account” after users enter their Windows credentials.

Microsoft Credential Guard prevents users from saving PEAP credentials because of the NTLM and MSCHAP password hashes. This leads to users seeing their login attempts using saved Windows credentials fail, and the user will have to log in multiple times, or it won’t work. It is a known security vulnerability to save domain credentials as it can lead to compromising the enterprise’s network. The organization’s best solution is to move to EAP TLS, certificate based authentication, to eliminate the need to have Windows credentials saved and eradicate other similar attacks against the enterprise network for the best credential protection.  

This brings into question whether or not Enterprises should consider deploying credential guards along with the network protocol. By design, it is blocking less secure access. Still, the end user cannot access the enterprise network without IT administration disabling the Credential Guard so the user can log in. Presenting an unfriendly user experience, a security risk, and inefficient use of IT personnel resources to resolve these issues. 

This article will explore these security features in detail, highlighting their benefits, discussing the complexities of deploying them in enterprise settings, what security protocols Microsoft recommends, and Secure W2’s examination of this scenario along with results through our sandbox environment determining whether or not an enterprise should have this feature enabled or disabled. 

Windows Credential Guard

Windows Credential Guard is a convenient security feature that can be implemented in Windows 10 and Windows Server 2016 OS. It serves as a defense against threats that target user Windows credentials. Leveraging hardware-based virtualization and a secure subsystem effectively addresses vulnerabilities like protecting NTLM password hashes, plaintext passwords, and Kerberos ticket granting tickets. 

This hardware security feature also allows Windows clients to secure boot and offer protection against advanced persistent threats. Enterprises that prioritize security protocols and policies already implementing Windows Defender in their security protocols will value this for protecting their WiFi and VPN connections.

Windows Credential Guard blocks protocols such as NTLM v1, WDigest, and MS-CHAP with SSO. Also, Enterprise can no longer use Kerberos unconstrained delegation or DES Encryption, or PKINIT uses RSA encryption instead of Diffie-Hellman. 

This is particularly significant for organizations dealing with data, including government agencies, financial institutions, and healthcare providers, because it ensures that data remains secure in high-risk environments by thwarting “pass the hash” and “pass the ticket” attacks. Not allowing domain credentials stored to be susceptible to credential theft attacks and protecting New Technology Lan Manager credentials (NTLM) by turning off NTLM classic authentication protecting NTLM password hashes. Also, it does not permit attackers to extract Kerberos Keys through the vulnerability of unconstrained delegation using resource-based Kerberos delegation. 

Credential Guard utilizes a security approach that leverages virtualization. It operates the Local Security Authority Subsystem Service (LSASS) process in a Virtual Secure Mode environment. This separation from the operating system adds a layer of protection against attacks that target software. This is so Windows Defender Credential Guard can isolate Credential Manager secrets.  

System administrators can set up and manage Credential Guard through Windows Group Policy or Mobile Device Management (MDM) solutions. This gives them control over security policies. Implementing Credential Guard offers advantages, such as security measures, adherence to regulatory compliance defense against malware, mitigation of insider threats, and strong protection against credential theft. It does come with issues that may warrant administrators disabling credential guard due to issues with the PEAP-MSCHAPv2 protocol. 

PEAP MS-CHAPv2

PEAP MS-CHAPv2 is an authentication protocol that combines the strengths of Protected Extensible Authentication Protocol (PEAP) and Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2). 

This protocol establishes an encrypted tunnel for user authentication via credentials while providing data confidentiality and protection.

This authentication method can occur in environments including hotspots, educational institutions, and enterprise networks. Authentication begins when a client connects to the network via user name and credentials. The PEAP protocol creates an encrypted tunnel, and MS-CHAPv2 verifies the user’s credentials through a challenge handshake response mechanism. 

Working at the Transport Layer, MS-CHAPv2 amplifies the data’s confidentiality and integrity by concurrently authenticating both the client and server certificate while keeping the user’s password “blank” as a clear text password to maintain security. Ensuring that the user connects to the correct server while all participating devices possess mutual trust, MS-CHAPv2 presents a challenge-response that the user must complete for the server. After the server verifies the user’s response, it grants the user access to the network.

PEAP MS-CHAPv2 improves security measures, and enabling Credential Guard and the protocol can help protect Windows credentials, providing a better user experience with single sign-on. 

It also ensures auditability and protects against eavesdropping. These features create an applicable option for organizations looking for robustness for user-friendly authentication methods, but risks must always be accounted for when deploying these features. 

Pros and Cons of Windows Credential Guard, Balancing Security and Usability

Pros:

When enterprises enable Credential Guard with the PEAP MS-CHAPv2 network protocol, they gain security benefits. Some of these advantages include:

1. Enhanced Security: 

By isolating credentials in a virtualized environment, Windows Defender Credential Guard adds a layer of protection, making it difficult for attackers to compromise them. The reliance on hardware-based security through virtualization further strengthens credential safeguarding. It helps mitigate “Pass The Hash” or “Pass The Ticket” attacks.

2. Policy Enforcement: 

Enterprises can enforce compliance among end-users while protecting vulnerable NTLM from credential theft attacks.

3. Compliance Maintenance: 

Windows Defender Credential Guard assists organizations in meeting compliance requirements by ensuring data protection of their privileged system software.

Drawbacks:

However, alongside these benefits, enterprises may encounter some challenges when Credential Guard is enabled:

1. Performance Impact: 

Devices with Windows Defender Credential Guard may experience a decline in performance due to utilizing the virtualization based security to isolate secrets for only privileged system software access.  

2. Device Compatibility: 

Implementing virtualization based security features may require device upgrades or migration to hardware capable of supporting them. It does not allow 

3. Network Connectivity: 

Organizations report that they can either not use credential-based 802.1x when Credential Guard is enabled or are forced to re-enter their credentials every time they need to authenticate. We dive deeper into this issue in the next section. 

4. Training and Monitoring: 

In an enterprise environment, the implementation and management of Credential Guard can be complex. Administrators and managers must allocate resources to train IT personnel and end users on cybersecurity practices. Monitoring threats and ensuring device compliance is crucial, as the Windows Defender feature is not entirely immune to vulnerabilities.

5. Security Vulnerabilities: 

Despite its security measures, Credential Guard cannot eliminate all threats. There are still risks such as theft, insider threats, force/dictionary attacks, and network security vulnerabilities like data breaches, Evil Twin attacks, and Man In The Middle attacks.

The Importance of Achieving a Balance

Finding the right balance between security and usability is crucial. While implementing Credential Guard and PEAP MS-CHAPv2 can significantly enhance security, organizations must consider the factors.

Hardware Compatibility:

  • Before implementing security features like Windows Defender Credential Guard, organizations should evaluate their existing hardware and the future use of their equipment when Credential Guard is enabled. Not all devices can support virtualized-based security features, which may require upgrades or replacements.

Deployment Complexity: 

  • The custom implementations of these security measures can be complex. Administrators and managers must allocate resources for training IT personnel and end users on cybersecurity practices.

Performance Impact:

  •  It is important to anticipate potential performance decreases on devices using virtualization layers to store credentials. Make sure you have resources and hardware in place to minimize any impacts.

Continuous Monitoring: 

  • Cybersecurity threats are constantly evolving. Businesses must invest in monitoring and threat assessment to quickly identify and address vulnerabilities.

User Experience: 

  • Striking a balance between security and user experience is critical. Security measures that are too complex can hinder productivity, as Windows Defender Credential Guard does not allow using saved credentials, so organizations should ensure a user-friendly experience.

Enabling Credential Guard 

The advantages, disadvantages, and outline of what should be considered for a successful deployment. An issue that an enterprise may encounter when implementing this security feature is being unable to connect with your network with your Windows User account domain credentials without an actual error code being shown.  

Organizations have reported this as an issue when Windows Credential Guard is enabled and PEAP-MSCHAPv2 is used for network authentication. Other organizations have reported that Windows Defender Credential Guard prevents users from keeping their Active Directory credentials stored on their devices. This forces devices again using PEAP-MSCHAPv2 to re-enter their AD credentials whenever they want access to the network. Secure W2 Team Members looked into this issue and determined how to avoid this, along with the results, to bring awareness of the best security practices to implement. 

Windows Credential Guard blocks protocols such as NTLM v1, WDigest, and MS-CHAP with SSO. Also, Enterprise can longer use Kerberos unconstrained delegation or DES Encryption, or PKINIT uses RSA encryption instead of Diffie-Hellman. 

Sandbox Results

As you can see from the above results, we were able to authenticate to the network using PEAP-MSCHAPv2 with Credential Guard enabled and disabled.

We also found that domain-joined devices can use their stored device credentials to do PEAP authentication using NPS with their NPS server. We also saw that Credential Guard would be set to “Not Configured “by default on Windows 10 & 11. We can either deactivate or activate it accordingly.

Microsoft’s Official Recommendation: Move Away from PEAP-MSCHAPv2 to EAP-TLS

Despite this, numerous organizations have contacted saying they are still experiencing issues with Windows Defender Credential Guard and PEAP-MSCHAPv2. As of November 2nd, 2023, we are still working with these organizations to isolate what it is about their environment that is causing these issues.

The issues caused by Windows Credential Guard have prompted many organizations to begin migrating over to EAP TLS, certificate-based authentication. The above image was taken from a Microsoft Document discussing issues regarding Windows Credential Guard. They reiterate the issues we’ve seen other organizations face and officially recommend organizations move to certificate-based authentication. 

There are many other reasons why significant institutions, like NIST and the NSA, recommend certificate authentication. It prevents over-the-air credential theft, also known as Adversary-in-the-Middle (formerly known as Man-in-the-Middle) attacks. It also enables organizations to have nearly 100% assurance around identifying all their network connections, as certificates can be marked as non-exportable, something our EAP-TLS Onboarding tool JoinNow MulitOS does. Lastly, it prevents network disconnects due to password resets, which can drastically reduce tickets and improve user experience. 

Conclusion

Enterprises using password-based authentication should enable Windows Credential Guard to provide an extra layer of protection to their network security. Properly configuring your enterprise network protocol configuration will avoid issues of the security feature working against itself and improve mitigation against risk against credential-based attacks. This improvement should not guarantee network security because Credential Guard is still vulnerable to credential-based attacks.

It’s important to consider alternatives besides PEAP MS-CHAPv2 for authentication protocols to avoid the harsh impact your Enterprise can sustain if the scenario occurs. This is why SecureW2 experts are preventing this scenario by eliminating the need for Credential Guard maintenance by using Public Key Infrastructure and other JoinNow solutions to simplify these processes.   

Transitioning from MSCHAPv2-based connections to certificate based authentication such as PEAP-TLS or EAP-TLS for Wi-Fi and VPN connections guarantees security for your network from the vulnerabilities that PEAP MS-CHAPv2 brings. 

It negates the possibility of user error from improper network configurations and improper end-user conduct because it does not rely upon user credentials rather than user certificates that will carry the user’s attributes in front of the organization’s active directory. 

Microsoft recommends that organizations shift to EAP TLS to boost security safeguards and provide an elevated end-user and administrator experience of daily processes. Although Credential Guard provides security advantages, implementing this Windows Defender solution may bring difficulties regarding hardware compatibility, deployment complexity, and potential impact on performance. 

 

User and Machine Authentication through the PEAP TLS and EAP TLS protocols prevent similar attacks against WiFi and VPN endpoints, so poor password complexities with generic credentials and leverage certificate-based authentication so that the users with those certificates can access the organization-only privileged system software. 

Organizations must make decisions that align with their security requirements, industry regulations, and commitment to addressing user experience concerns. Achieving the equilibrium between security and usability is essential in today’s ever-changing landscape of threats.

Learn about this author

Justin Boone

Justin is a Product Marketing Associate from North Carolina. He grew up in Nebraska, where he received his Bachelor's in Cyber Security. He wants to continue to educate himself in the Cyber Security field and use it to bring innovative ideas to fruition. In his free time, he enjoys spending time with his family and friends, reading books, working out in the gym, or playing Rugby.

Windows Defender Credential Guard and PEAP MS-CHAPv2