Loading user information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading user information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Mitigating Credential Theft using the Windows 10 Isolated User Mode

29 minutes, 7 seconds


Right click “Save as…”

In this video Seth Moore describes another benefit of the Windows 10 Isolated User Mode: credential theft mitigation. He first describes the kinds of credentials that can be stolen and how a hacker gains access to them. He then describes how the Windows 10 Isolated User Mode prevents the typical techniques from ever working. It is truly a fascinating look at how the Windows kernel group is continuing to innovate in order to protect us from being compromised. The best part for me is how hesitant Seth was to declare victory when it comes to having a bullet-proof system: this kind of attitude shows the level of vigilance the operating system folks have when it comes to securing our computing environments.


Follow the discussion

  • Oops, something didn't work.

    Getting subscription
    Subscribe to this conversation
  • It seems like the real problem is that the Windows world doesn't treat the Administrator account as rare and sacred as the Unix world treats the root account. You generally can't load an arbitrary driver with CreateService() unless you're an Administrator, yet a fresh desktop install always starts me right off with Administrator privileges. This does not compute!

  • So how much of this applies to my non domain joined Windows 10 laptop?

    The video was very interesting - a clear description of a difficult subject.

  • Jason FossenJason Fossen

    Great! Even more technical detail would be nice, such as about the RPC from LSASS into LSAISO/CredGuard, hypervisor and VMBus attacks, how each machine has a unique AES256 key for IUM memory dumps but there is also another (private?) key at Microsoft which can be used to decrypt the dumps, future plans for other trustlets in IUM besides CI/CredGuard, how this all relates to Intel CPU extensions like SGX, etc. More please! Thanks!

  • Seth MooreSeth Moore

    Great questions. We're super jazzed about this feature, and it's cool to see interest in it.

    @sjypharmhotm​ail - We cannot, unfortunately, make strong security statements about non-joined systems. Credentials in memory are certainly better protected when Credential Guard is enabled, yet we have not mitigation for an attacker who manages to find a way to disable the feature.

    It was a conscious decision to focus on enterprise scenarios, because that's where the effects of attacks like Pass-the-Hash are most felt. Another way to look at it is this: The feature isn't protecting the client so much as preventing the spread of attackers once they have managed to root a client. It's all about limiting lateral traversal.

    @electricninja33 - Being an Administrator account on Windows is akin to being in the sudoers file in Linux (though, admittedly, with less granularity). An elevation process is required, in both systems, before you can do truly nasty things to the OS. In either system, if you're granted privileges, even indirectly, and your creds are stolen, the system is getting owned.


Remove this comment

Remove this thread


Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.