Lungiselela I-Credential Guard ku-Windows isinyathelo ngesinyathelo

I-Credential Guard isiyingxenye ebalulekile ukuqinisa ukuvikeleka kokuqinisekisa ezindaweni Windows Izinhlelo zesimanje zibaluleke kakhulu ezinhlanganweni lapho ukuhlaselwa kokwebiwa kwemininingwane kungase kubangele inkinga enkulu. Esikhundleni sokushiya izimfihlo zokuqinisekisa ziveziwe kumemori yesistimu, lesi sici siyabahlukanisa sisebenzisa ukuvikeleka okusekelwe ekubonweni, kunciphisa kakhulu indawo yokuhlasela.

Emigqeni elandelayo uzobona ukuthi ungamisa kanjani i-Credential Guard Sisebenzisa izindlela ezihlukile (i-Intune/MDM, Inqubomgomo Yeqembu, kanye Nesibhalisi), sizofaka izimfuneko idivayisi yakho okufanele ihlangabezane nayo, imikhawulo eyethulayo, indlela yokuqinisekisa ukuthi iyasebenza ngempela, kanye nendlela yokuyikhubaza ezimeni ezidingekayo, okuhlanganisa imishini ebonakalayo kanye namadivayisi akhiywe nge-UEFI. Yonke into ichazwa ngokuningiliziwe, kodwa ngolimi olucacile, olusebenziseka kalula ukuze ukwazi ukulisebenzisa kalula.

Iyini i-Credential Guard futhi ivikela kanjani iziqinisekiso?

I-Credential Guard iyisici sokuvikela seWindows esebenzisa ukuphepha okusekelwe ku-virtualization (VBS) ukuze ihlukanise izifakazelo nezinye izimfihlo ezihlobene nokuqinisekisa. Esikhundleni sokuthi yonke into igcinwe ngokuqondile ohlelweni lweziphathimandla zezokuphepha zendawo (lsass.exe), idatha ebucayi igcinwa engxenyeni engayodwa ebizwa ngokuthi I-LSA iyodwa o I-LSA engayodwa.

Le LSA engayodwa isebenza endaweni evikelekile, ehlukaniswe nesistimu yokusebenza eyinhloko ngokusebenzisa i-hypervisor (Imodi ephephile i-virtual noma i-VSM). Isethi encane kuphela yamabhanari, asayinwe ngezitifiketi ezithenjwayo, engalayishwa kuleyo ndawo. Ukuxhumana nalo lonke uhlelo lwenziwa nge-RPC, evimbela i I-malware esebenza ohlelweni, kungakhathaliseki ukuthi inelungelo elingakanani, ingafunda ngokuqondile izimfihlo ezivikelwe.

I-Credential Guard ivikela ngokukhethekile izinhlobo ezintathu zokuqinisekisaIphasiwedi ye-NTLM hashes, amarekhodi e-Kerberos Ticket Granting (TGT), kanye nemininingwane egcinwe izinhlelo zokusebenza njengezifakazelo zesizinda konke kusengozini. Lokhu kunciphisa ukuhlaselwa kwakudala okufana dlula i-hash o dlula-ithikithi, kuvame kakhulu ekuhambeni kwezinhlangothi ngaphakathi kwamanethiwekhi ezinkampani.

Kubalulekile ukuqonda ukuthi i-Credential Guard ayivikeli yonke into.Ayibandakanyi, isibonelo, izifakazelo eziphathwa isofthiwe yomuntu wesithathu ngaphandle kwezinqubo ezijwayelekile ze-Windows, ama-akhawunti wendawo kanye ne-Microsoft, futhi ayivikeli ekuhlaselweni ngokomzimba noma kuma-keylogger. Noma kunjalo, kunciphisa kakhulu ubungozi obuhambisana neziqinisekiso zesizinda.

I-Credential Guard inikwe amandla ngokuzenzakalela

Kusuka Windows 11 22H2 kanye ne-Windows Server 2025Ukuvikeleka okusekelwe ku-Virtualization-based (VBS) kanye ne-Credential Guard kunikwe amandla ngokuzenzakalela kumadivayisi ahlangabezana ne-Microsoft hardware echazwe, i-firmware, nezidingo zesofthiwe. Lokhu kusho ukuthi kumakhompuyutha amaningi esimanje, iza ilungiselelwe ngaphambilini futhi iyasebenza ngaphandle kokungenelela komlawuli.

Imodi yokunika amandla ezenzakalelayo ithi "i-UEFI ivuliwe"Ngamanye amazwi, ngaphandle kokukhiya okuvimbela ukuvala ukude. Le ndlela yokwenza kube lula kubalawuli ukukhubaza Ukugcinwa Kwemininingwane Ngezinqubomgomo noma ukulungiselelwa kwesilawuli kude uma uhlelo lokusebenza olubalulekile lungahambisani noma kutholwa izinkinga zokusebenza.

Lapho Ukuvikela Ukuqinisekisa kunikwe amandla ngokuzenzakalelaI-VBS ngokwayo nayo inikwe amandla ngokuzenzakalelayo. Akukho ukulungiselelwa okuhlukile kwe-VBS okudingekile ukuze i-Credential Guard isebenze, nakuba kunemingcele eyengeziwe yokuqinisa ileveli yokuvikela yenkundla (ngokwesibonelo, edinga ukuvikelwa kwe-DMA ngaphezu kwezinga). ibhuthini ngokuqinisekile).

Kukhona i-nuance ebalulekile kumishini ebuyekeziweUma idivayisi ibikade ine-Credential Guard ikhutshazwe ngokucacile ngaphambi kokuthuthukela enguqulweni ye-Windows lapho inikwe amandla ngokuzenzakalela, izohlala ivaliwe ngemva kokuthuthukiswa. Ngamanye amazwi, ukulungiselelwa okusobala komlawuli kuthatha kuqala kunokuziphatha okuzenzakalelayo.

Isistimu, ihadiwe, i-firmware nezidingo zokulayisensa

Ukuze I-Credential Guard inikeze isivikelo sangempelaIdivayisi kufanele ihlangabezane nochungechunge lwezingxenyekazi zekhompuyutha ezincane, i-firmware, nezimfuneko zesofthiwe. Amadivayisi adlula lokhu okuphansi futhi anezici ezengeziwe, njenge-IOMMU noma i-TPM 2.0, angazuza kumazinga aphezulu okuphepha ngokumelene nokuhlaselwa kwe-DMA nezinsongo ezithuthukile.

Izingxenyekazi zekhompuyutha kanye nezidingo ze-firmware

Izidingo zezingxenyekazi zekhompuyutha eziyinhloko ze-Credential Guard Kubandakanya i-64-bit CPU enezandiso ze-virtualization (Intel I-VT-x noma i-AMD-V) nokusekelwa kokuhumusha ikheli lesibili (i-SLAT, eyaziwa nangokuthi Amathebula Ekhasi Anwetshiwe). Ngaphandle kwalawa makhono okwenza izinto ezibonakalayo, i-VBS kanye nemodi ephephile ebonakalayo ngeke ikwazi ukuhlukanisa kahle inkumbulo.

Ezingeni le-firmware, kuyimpoqo ukuba nayo UEFI Inguqulo engu-2.3.1 noma ngaphezulu ngokusekelwa kwe-Secure Boot kanye nenqubo yokubuyekeza i-firmware evikelekile. Ukwengeza, izici ezifana nokusetshenziswa ngokuvikelekile kwe-Memory Overwrite Request (MOR), ukuvikelwa kokulungiselelwa kokuqalisa, nekhono lokuthuthukisa i-firmware ngokusebenzisa [okungacacile - okungenzeka "ukuthuthukiswa kwesofthiwe" noma "ukuthuthukiswa kwesofthiwe"] kuyanconywa. I-Windows Update.

Ukusetshenziswa kweyunithi yokulawula inkumbulo yokufaka/yokukhiphayo (IOMMU)Ukusebenzisa i-VM efana ne-Intel VT-d noma i-AMD-Vi kunconywa kakhulu, njengoba ikuvumela ukuthi unike amandla ukuvikelwa kwe-DMA ngokuhlangana ne-VBS. Lesi sivikelo sivimbela amadivayisi anonya axhunywe ebhasini ekufinyeleleni ngokuqondile kumemori nokukhipha izimfihlo.

I-Trusted Platform Module (TPM) ingenye ingxenye ebalulekileokungcono kunguqulo I-TPM 2.0nakuba i-TPM 1.2 nayo isekelwa. I-TPM inikeza ihange lokuvikeleka kwezingxenyekazi zekhompuyutha ukuze kuvikelwe ukhiye oyinhloko we-VSM futhi iqinisekise ukuthi idatha evikelwe i-Credential Guard ingafinyelelwa kuphela endaweni ethembekile.

Ukuvikelwa kwe-VSM kanye nendima ye-TPM

Izimfihlo ezivikelwe yiCredential Guard zibekwe zodwa enkumbulweni ngokusebenzisa imodi evikelekile ebonakalayo (VSM). Ku-hardware yakamuva ene-TPM 2.0, idatha eqhubekayo endaweni ye-VSM ibethelwe nge- Ukhiye omkhulu we-VSM ivikelwe i-TPM ngokwayo kanye nezindlela zokuqalisa ezivikelekile zedivayisi.

Nakuba i-NTLM ne-Kerberos TGTs enziwa kabusha ekungeneni ngakunye futhi njengoba ngokuvamile zingagcinwa phakathi kokuqalisa kabusha, ukuba khona kokhiye oyinhloko we-VSM kuvumela ukuvikeleka kwedatha engagcinwa endaweni. el tiempoI-TPM iqinisekisa ukuthi ukhiye awukwazi ukukhishwa kudivayisi nokuthi izimfihlo ezivikelwe azikwazi ukufinyelelwa ngaphandle kwendawo eqinisekisiwe.

Izidingo zohlelo lwe-Windows namalayisense

I-Credential Guard ayitholakali kuzo zonke izinhlelo ze-WindowsKuzinhlelo zeklayenti, isekelwa ku IWindows Enterprise naku-Windows Education, kodwa hhayi ku-Windows Pro noma ku-Windows Pro Education/SE. Ngamanye amazwi, ikhompuyutha ene-Windows Pro izodinga ukuthuthukela ku-Enterprise ukuze isebenzise lokhu kusebenza.

Amalungelo okusebenzisa I-Credential Guard ayanikezwa ngamalayisense afana ne-Windows Enterprise E3 ne-E5 noma amalayisense ezemfundo A3 kanye ne-A5. Ezindaweni zebhizinisi, lokhu kuvame ukutholwa ngezivumelwano zamalayisense wevolumu, kuyilapho ama-OEM evamise ukuletha iWindows Pro bese ikhasimende lithuthukela ku-Enterprise.

I-Credential Guard kumishini ebonakalayo ye-Hyper-V

I-Credential Guard ingaphinda ivikele izimfihlo ngaphakathi kwemishini ebonakalayo ibulawa ku-Hyper-V, ngokufanayo nendlela esebenza ngayo emishinini ebonakalayo. Izidingo eziyinhloko ukuthi umsingathi we-Hyper-V une-IOMMU nokuthi imishini ebonakalayo iyiGeneration 2.

Kubalulekile ukuqonda umngcele wokuvikela kulezi zimoI-Credential Guard ivikela ekuhlaselweni okuvela ngaphakathi komshini obonakalayo ngokwawo, kodwa hhayi ezinsongweni ezivela kumsingathi onamalungelo aphakeme. Uma umsingathi esengozini, usengakwazi ukufinyelela emishinini yesivakashi.

Izidingo zohlelo lokusebenza nokuhambisana

Ukwenza kusebenze I-Credential Guard kuvimbela izici ezithile zokuqinisekisaNgakho-ke, ezinye izinhlelo zokusebenza zingase ziyeke ukusebenza uma zithembele ezindleleni ezidlulelwe yisikhathi noma ezingavikelekile. Ngaphambi kokuthunyelwa ngobuningi, kuyatuseka ukuthi uhlole izinhlelo zokusebenza ezibalulekile ukuze uqinisekise ukuthi zihlala zisebenza.

Izinhlelo zokusebenza ezidinga ukubethela kwe-DES ku-KerberosUkuthunyelwa kwe-Kerberos okungakhawulelwe, ukukhishwa kwe-TGT, nokusetshenziswa kwe-NTLMv1 kuzophazamiseka ngoba lezi zinketho zikhutshazwa ngokuqondile uma i-Credential Guard isebenza. Lesi yisinyathelo esiqinile sokuphepha, kodwa siyadingeka ukuze kuvinjelwe ubungozi obukhulu.

Ezinye izici, njengokufakazela ubuqiniso obusobalaUkuthunyelwa kokuqinisekisa, i-MS-CHAPv2, noma i-CredSSP kudalula izifakazelo ezingozini ezengeziwe ngisho nalapho i-Credential Guard isebenza. Izinhlelo zokusebenza ezigcizelela ukuzisebenzisa zingase ziqhubeke nokusebenza, kodwa zishiya izifakazelo zibe sengozini enkulu, ngakho ukuzibuyekeza nakho kuyanconywa.

Kungase futhi kube nemithelela yokusebenza uma izinhlelo zokusebenza ezithile zizama ukusebenzelana ngqo nenqubo engayodwa LsaIso.exeNgokuvamile, izinsiza ezisebenzisa i-Kerberos ngendlela evamile (isibonelo, ukwabelana kwefayela noma Ideskithophu ekude) qhubeka nokusebenza ngokujwayelekile ngaphandle kokuqaphela izinguquko.

Unika amandla kanjani i-Credential Guard ngendlela efanele

Isincomo esijwayelekile se-Microsoft ukwenza i-Credential Guard isebenze Lokhu kufanele kwenziwe ngaphambi kokuthi idivayisi ijoyine isizinda noma ngaphambi kokuthi umsebenzisi wesizinda angene okokuqala. Uma yenziwe yasebenza kamuva, izimfihlo zomsebenzisi noma zekhompyutha kungenzeka vele zidaluliwe kumemori engavikelekile.

Kunezindlela ezintathu eziyinhloko zokusetha lesi sici.Lokhu kungenziwa nge-Microsoft Intune/MDM, kusetshenziswa i-Group Policy, noma nge-Windows Registry. Inketho incike ohlotsheni lwendawo, amathuluzi okuphatha atholakalayo, nezinga elifiswayo lokuzenzakalelayo.

Nika amandla i-Credential Guard usebenzisa i-Microsoft Intune / MDM

Ezindaweni eziphethwe nge-Intune noma ezinye izixazululo ze-MDMI-Credential Guard ingavulwa ngokudala inqubomgomo yokucushwa kwedivayisi eqale yenze kusebenze ukuphepha okusekelwe ekwenzeni izinto ezibonakalayo bese ichaza ukuziphatha okukhethekile Konogada Abaqinisekisayo.

Izinqubomgomo zangokwezifiso zingadalwa kusetshenziswa i-DeviceGuard CSP. ngamapharamitha angukhiye we-OMA-URI alandelayo:

• Vula i-VBS: OMA-URI ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurityuhlobo lwedatha int, ukubaluleka 1 ukuze unike amandla ukuphepha okusekelwe kwi-virtualization.
• Lungiselela Unogada Wokuqinisekisa: OMA-URI ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlagsthayipha int, ukubaluleka 1 ukuze unike amandla nge-UEFI lock noma 2 ukunika amandla ngaphandle kokuvinjwa.

Uma inqubomgomo isidaliwe, inikezwa idivayisi noma iqembu labasebenzisi. ofuna ukuyivikela. Ngemva kokufaka inqubomgomo, udinga ukuqala kabusha idivayisi ukuze i-Credential Guard isebenze.

Lungiselela I-Credential Guard usebenzisa I-Group Policy (GPO)

Ezizindeni ze-Active Directory, indlela elula kakhulu ngokuvamile i-GPO.Ungasebenzisa Isihleli Senqubomgomo Yeqembu Lendawo kukhompuyutha eyodwa noma udale Into Yenqubomgomo Yeqembu exhunywe ezizindeni noma amayunithi enhlangano ukuze uhlanganise amadivaysi amaningi.

Indlela ethile yenqubomgomo yeqembu ithiUkucushwa Kwedivayisi → Izifanekiso Zokulawula → Isistimu → Isigadi Sedivayisi. Ngaphakathi kwaleso sigaba, kukhona ukulungiselelwa okubizwa ngokuthi "Vumela ukuphepha okusekelwe ekubonweni."

Uma unika amandla le nqubomgomo, kufanele ukhethe inketho Yokuqapha Ukuqinisekisa. ohlwini lokudonsela phansi "Izilungiselelo Zonogada":

• Inikwe amandla ngokukhiya kwe-UEFI: ivimbela ukukhubaza ukude I-Credential Guard; ingashintshwa kuphela ngokufinyelela ngokomzimba ku-firmware/BIOS.
• Inikwe amandla ngaphandle kokuvinjwa: ikuvumela ukuthi ukhubaze i-Credential Guard kamuva nge-GPO noma ukulungiselelwa okukude.

Ama-GPO angahlungwa kusetshenziswa amaqembu okuvikela noma izihlungi ze-WMILokhu kukuvumela ukuthi usebenzise lesi sivikelo kuphela ezinhlotsheni ezithile zamadivayisi noma amaphrofayela omsebenzisi. Ngemuva kokusebenzisa inqubomgomo, ukuqalisa kabusha kuyadingeka ukuze izinguquko zisebenze.

Lungiselela I-Credential Guard usebenzisa i-Windows Registry

Lapho kudingeka ukulawula okuyimbudumbudu okwengeziwe noma iskripthi inkambisoI-Credential Guard inganikwa amandla ngokuqondile nge-Registry. Le ndlela ngokuvamile isetshenziswa kuzimo ezithuthukisiwe noma ezishintshayo lapho i-GPO noma i-MDM ingatholakali.

Ukwenza kusebenze ukuphepha okusekelwe ku-virtualization (VBS)Okhiye abalandelayo kufanele balungiselelwe:

• Indlela engukhiye: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  Inani: EnableVirtualizationBasedSecuritythayipha REG_DWORD, ukubaluleka 1.
• Indlela engukhiye: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
  Inani: RequirePlatformSecurityFeaturesthayipha REG_DWORD, ukubaluleka 1 ukuqala okuphephile noma 3 ukuze uthole ibhuthi evikelekile enokuvikelwa kwe-DMA.

Ngokulungiselelwa okukhethekile Konogada Kusetshenziswa ukhiye:

• Indlela engukhiye: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  Inani: LsaCfgFlagsthayipha REG_DWORDAmanani angenzeka:
  0 ukukhubaza i-Credential Guard,
  1 ukuyinika amandla nge-UEFI lock,
  2 ukuyinika amandla ngaphandle kokuyivimba.

Ngemva kokulungisa lezi zihluthulelo ku-RegistryUdinga ukuqala kabusha ikhompuyutha ukuze i-VBS neCredential Guard ziqalise ngendlela efanele futhi ziqale ukuvikela imininingwane.

Hlola ukuthi i-Credential Guard ivuliwe yini

Nakuba kungase kubonakale kulinga ukubheka ukuthi inqubo LsaIso.exe Kuyaqhubeka kusukela Umphathi WomsebenziI-Microsoft ayincomi le ndlela njengesheke elithembekile. Kunalokho, kuhlongozwa izindlela ezintathu eziyinhloko: Ulwazi Lwesistimu, I-PowerShell kanye nesibukeli somcimbi.

Ukuqinisekisa Ngolwazi Lwesistimu (msinfo32)

Indlela elula yabalawuli abaningi Kubandakanya ukusebenzisa ithuluzi leWindows "Lolwazi Lwesistimu":

1. Khetha Qala bese uthayipha msinfo32.exeBese uvula uhlelo lokusebenza "Ulwazi Lwesistimu".
2. Kuphaneli engakwesokunxele, yiya ku Ukubuka konke kwesistimu.
3. Kuphaneli engakwesokudla, bheka isigaba "Izinsizakalo zokuphepha ezisekelwe ku-Virtualization ziyasebenza" futhi uhlole ukuthi "I-Credential Guard" iyavela yini phakathi kwamasevisi asohlwini.

Uma I-Credential Guard ifakwe kuhlu njengesevisi esebenzayo Kulesi sigaba, kusho ukuthi inikwe amandla ngendlela efanele futhi iyasebenza kukhompuyutha.

Ukuqinisekisa usebenzisa i-PowerShell

Ezindaweni eziphethwe, ukusebenzisa i-PowerShell kuyasebenza kakhulu. Ukuze wenze isheke lenqwaba lesimo se-Credential Guard, ungasebenzisa umyalo olandelayo kusuka kukhonsoli ye-PowerShell ephakeme:

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

Lo myalo ubuyisela isethi yamanani ezinombolo okubonisa ukuthi iziphi izinsiza zokuphepha ezisekelwe ku-virtualization ezisebenzayo. Endabeni ethile ye-Credential Guard, zihunyushwa kanje:

• 0: I-Credential Guard ikhutshaziwe (ayisebenzi).
• 1: I-Credential Guard inikwe amandla (iyasebenza).

Ngaphezu kwalo mbuzo ojwayelekileI-Microsoft inikeza i-DG_Readiness_Tool script (isibonelo, DG_Readiness_Tool_v2.0.ps1), okuvumela ukuthi uhlole ukuthi uhlelo luyakwazi yini ukusebenzisa i-Credential Guard, lunike amandla, lukhubaze, futhi uqinisekise isimo salo usebenzisa izinketho ezifana -Capable, -Enable, -Disable y -Ready.

Ukusebenzisa Isibukeli Somcimbi

Enye indlela yokuqinisekisa egxile kakhulu ekucwaningeni Okokusebenzisa Isibuki Somcimbi. Kusuka eventvwr.exe Ungakwazi ukufinyelela "Windows Logs" → "System" futhi hlunga imicimbi omvelaphi yakhe ithi "WinInit".

Phakathi kwaleyo micimbi kukhona imingenelo ehlobene nokuqala yezinsizakalo zokuphepha ezisekelwe ekwenzeni izinto ezibonakalayo, okuhlanganisa nalezo ezibonisa ukuthi ingabe I-Credential Guard iqaliswe ngempumelelo yini phakathi nenqubo yokuqalisa.

Khubaza i-Credential Guard kanye nokuphathwa kokukhiya kwe-UEFI

Nakuba ngokuvamile ungafuna ukugcina i-Credential Guard ivuliweKunezimo lapho kungase kudingeke khona ukuyikhubaza: ukungahambisani kwesicelo, ukuhlolwa kwaselabhorethri, izinguquko zezakhiwo zokuphepha, njll. Inqubo yokuyikhubaza izoncika ekutheni yenziwe kanjani amandla nokuthi ukukhiya kwe-UEFI kwasetshenziswa yini.

Ngokwemibandela evamile, kukhubaza Unogada Wokuqinisekisa Lokhu kuhlanganisa ukubuyisela izilungiselelo ezisetshenziswe nge-Intune/MDM, Inqubomgomo Yeqembu, noma Isibhalisi, bese uqalisa kabusha ikhompuyutha. Nokho, uma inikwe amandla ngokukhiya kwe-UEFI, kunezinyathelo ezengeziwe ngoba ezinye izilungiselelo zigcinwa kuyo I-firmware EFI eguquguqukayo.

Ikhubaza I-Credential Guard nge-UEFI Lock

Uma i-Credential Guard ibinikwe amandla ngokhiye we-UEFIAkwanele ukushintsha i-GPO noma i-Registry. Udinga futhi ukususa okuguquguqukayo kwe-EFI okuhlotshaniswa nokucushwa okukodwa kwe-LSA usebenzisa bcdedit kanye nenqubo encane yokuqalisa ekhethekile.

Kusuka a ngokushesha komyalo ngamalungelo aphakeme kulandelwa ukulandelana imiyalo ngoba:

1. Faka iyunithi ye-EFI yesikhashana nge mountvol bese ukopisha SecConfig.efi ku-Microsoft boot path.
2. Dala ukungena kweshaja yesistimu nge bcdedit /create ekhomba lokho SecConfig.efi.
3. Lungiselela i- i-bootsequence yomphathi webhuthi ukuze iqale kanye ngaleyo loader ekhethekile.
4. Engeza inketho yokushaja DISABLE-LSA-ISO ukuze ukhubaze ukucushwa okuhlukile kwe-LSA okugcinwe ku-UEFI.
5. Susa iyunithi yesikhashana ye-EFI futhi.

Ngemva kokwenza lezi zinyathelo, idivayisi iqala kabusha.Ngaphambi kokuthi uhlelo lokusebenza luqale, kuzovela umyalezo obonisa ukuthi izilungiselelo ze-UEFI zishintshiwe futhi uzocela ukuqinisekiswa. Kubalulekile ukwamukela lo mlayezo ukuze izinguquko zokuvala zisebenze.

Khubaza I-Credential Guard emishinini ebonakalayo

Endabeni yemishini ebonakalayo exhunywe kumsingathi we-Hyper-VKungenzeka ukuvimbela i-VM ekusebenziseni i-VBS kanye ne-Credential Guard ngisho noma isistimu yokusebenza yesivakashi izolungiselelwa yona.

Kusuka kumsingathi, usebenzisa i-PowerShell, ungagijima Umyalo olandelayo uzokhipha umshini we-virtual ekuvikelekeni okusekelwe ekusebenzeni okubonakalayo:

Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

Ngokuvula le nketho yokukhishwaI-VM izosebenza ngaphandle kokuvikelwa kwe-VBS futhi, ngokwengeza, ngaphandle kwe-Credential Guard, engaba usizo ezindaweni zokuhlola noma lapho isebenzisa amasistimu amafa ngaphakathi kwemishini ebonakalayo.

Ukuhlanganisa I-Credential Guard ku-AWS Nitro nezinye izimo

I-Credential Guard iyatholakala nasezindaweni ezinamafu njenge-Amazon EC2, isebenzisa ukwakhiwa okuvikelekile kohlelo lwe-AWS Nitro. Kulo mongo, i-VBS kanye ne-Credential Guard bathembele ku-Nitro ukuze kuvinjwe izifakazelo zokungena ze-Windows ukuthi zikhishwe kumemori yesistimu yokusebenza yesivakashi.

Ukusebenzisa i-Credential Guard ku-Windows ku-EC2Ukuze uqalise isenzakalo esihambisanayo, udinga ukukhetha uhlobo lwesibonelo esisekelwayo kanye ne-Windows AMI elungiselelwe kusengaphambili ehlanganisa ukusekela okubonakalayo kwe-TPM ne-VBS. Lokhu kungenziwa kusukela ku-Amazon EC2 console noma ku-AWS CLI kusetshenziswa run-instances noma usebenzisa i-PowerShell New-EC2Instanceukucacisa, isibonelo, isithombe sesitayela TPM-Windows_Server-2022-English-Full-Base.

Kwezinye izimo kuyodingeka ukukhubaza ubuqotho benkumbulo (HVCI) ngaphambi kokunika amandla i-Credential Guard, ngokulungisa izinqubomgomo zeqembu ezihlobene "Nokuvikela okusekelwe ekuvikelweni kobuqotho bekhodi". Uma lokhu kulungiswa sekwenziwe futhi isibonelo siqalwa kabusha, I-Credential Guard inganikwa amandla futhi iqinisekiswe, njengakunoma yimuphi omunye umshini we-Windows, msinfo32.exe.

Imikhawulo yokuvikela kanye nezici ezingafaki I-Credential Guard

Yize i-Credential Guard imelela ukugxuma okukhulu phambili ekuvikelweni kokuqinisekisaAkuyona inhlamvu yesiliva exazulula yonke into. Kunezimo ezithile eziwela ngaphandle kobubanzi bazo, futhi kubalulekile ukuqaphela lokhu ukuze ugweme umuzwa wokuphepha ongamanga.

Ezinye izibonelo zalokho elingakuvikeli:

• Isoftware yomuntu wesithathu ephethe izifakazelo ngaphandle kwezinqubo ezijwayelekile zeWindows.
• Ama-akhawunti wendawo kanye nama-akhawunti e-Microsoft alungiselelwe kukhompuyutha ngokwayo.
• Isizindalwazi se-Active Directory kuzilawuli zesizinda se-Windows Server.
• Iziteshi zokuqinisekisa ukungena njengamaseva wesango Ledeskithophu Ekude.
• Amarekhodi okhiye nokuhlasela okuqondile ngokomzimba eqenjini.

Futhi ayivimbeli umhlaseli one-malware kukhompyutha esuka Isebenzisa amalungelo asevele enikezwe isitifiketi esisebenzayo. Okusho ukuthi, uma umsebenzisi onezimvume eziphakeme exhuma kusistimu eyonakele, umhlaseli angasebenzisa lezo zimvume ngesikhathi seseshini, nakuba engakwazi ukweba i-hashi kumemori evikelekile.

Ezimweni ezinamanani aphezulu abasebenzisi noma ama-akhawunti (abaphathi besizinda, abasebenzi be-IT abanokufinyelela kuzinsiza ezibalulekile, njll.), kusatuseka ukuthi kusetshenziswe izinto zokusebenza ezizinikezele nezinye izendlalelo ezengeziwe zokuphepha, njengokuqinisekiswa kwezinto eziningi, ukuhlukaniswa kwenethiwekhi, kanye nezinyathelo zokulwa ne-keylogger.

Isigadi Sedivayisi, i-VBS kanye nobudlelwano ne-Credential Guard

I-Device Guard kanye ne-Credential Guard kuvame ukushiwo ndawonye ngoba bobabili basebenzisa ukuphepha okusekelwe ku-virtualization ukuqinisa ukuvikelwa kwesistimu, nakuba bexazulula izinkinga ezahlukene.

I-Credential Guard igxile ekuvikeleni izifakazelo (NTLM, Kerberos, Credential Manager) ibahlukanisa ku-LSA evikelwe. Akuxhomekile kokuthi I-Device Guard, nakuba bobabili babelana ngokusetshenziswa kwe-hypervisor nezici ze-hardware ezifana ne-TPM, i-boot evikelekile, ne-IOMMU.

I-Device Guard, ngakolunye uhlangothi, isethi yezici Izingxenyekazi zekhompuyutha nezixazululo zesofthiwe zikuvumela ukuthi ukhiye idivayisi ukuze ikwazi ukusebenzisa izinhlelo ezithenjwayo ezichazwe kuzinqubomgomo zobuqotho bekhodi. Lokhu kushintsha imodeli evamile (lapho yonke into isebenza khona ngaphandle uma ivinjwe isofthiwe ye-antivirus) ibe lapho kuphela izinhlelo zokusebenza ezigunyazwe ngokusobala zisetshenziswa.

Zombili izici ziyingxenye ye-arsenal yeWindows Enterprise. Ukuze uvikele ezinsongweni ezithuthukile, I-Device Guard incike ku-VBS futhi idinga ukuthi abashayeli bathobele i-HVCI, kuyilapho i-Credential Guard isebenzisa i-VBS ukuze ihlukanise izimfihlo zokuqinisekisa. Ndawonye, ​​banikeza inhlanganisela enamandla: ikhodi enokwethenjelwa kanye nemininingwane evikelwe kangcono.

Iba Unogada Okuqinisekisayo ulungiswe kahle Lokhu kubandakanya ukuvikela isici esibucayi kakhulu kunoma iyiphi indawo ye-Windows: imininingwane yomsebenzisi nekhompyutha. Ukuqonda izidingo zayo, ukwazi ukuthi uyisebenzisa kanjani nge-Intune, GPO, noma Isibhalisi, ukwazi imikhawulo yayo, kanye nokuba nezinqubo ezicacile zokuqinisekisa isimo sayo nokuyikhubaza ezimeni ezihlukile kukuvumela ukuthi usebenzise lobu buchwepheshe ngokugcwele ngaphandle kokuhlangabezana nezimanga ekukhiqizeni.