Skip to main content

Virtual Secure Mode (VSM) in Windows 10 Enterprise

Virtual Secure Mode (VSM) in Windows 10 Enterprise
In Windows 10 Enterprise (only in this edition), a new Hyper-V component has appeared – VirtualSecure Mode (VSM). VSM is a protected container (virtual machine) run on a hypervisor and separated from host Windows 10 host and its kernel. Crucial from the security point of view system components run inside this protected virtual container. No third-party code can be executed in the VSM, and code integrity is constantly checked for modification. This architecture allows to protect data in the VSM, even if the kernel of the host Widows 10 is compromised, because even the kernel cannot access the VSM directly.
VSM container cannot be connected to the network and nobody can get administrative privileges in it. Encryption keys, user authentication data and other crucial information from the compromise point of view can be stored in Virtual Secure Mode container. Thus, a hacker won’t be able to penetrate the corporate structure using locally cached data of the domain user accounts.
Virtual Secure Mode (VSM) in Windows 10
The following system components can work inside the VSM:
  1. LSASS (Local Security Subsystem Service) is a component responsible for authentication and isolation of local users. (Thus, the system is protected from the attacks of “pass the hash” type and such tools, like mimikatz –link1link2.) It means that the passwords (and/or hashes) of user registered in the system cannot become available even for a user with local administrator privileges.
  2. Virtual TPM (vTPM) is a synthetic TPM device for guest machines necessary for encryption of disk contents
  3. The system for monitoring the OS code integrity protects the code against modification
Note. Such security technologies, like Shielded Virtual Machines and Device Guard also work in VSM. A host and a guest OSs can also interact with Virtual Secure Mode container using API interfaces.
To use VSM, the environment has to meet the following hardware requirements:
  • UEFISecure Boot and Trusted Platform Module (TPM) support for secure key storage
  • Hardware virtualization support (VT-x, AMD-V or later)

How to Enable Virtual Secure Mode (VSM) in Windows 10

Let’s see how to enable Virtual Secure Mode Windows 10.
  • UEFI Secure Boot must be enabled.
  • Windows 10 has to be included in the domain. (VSM protects only domain user accounts, not local ones.)
  • Hyper-V role has to be installed in Windows 10. (In our case, we had to install Hyper-V Platform first, and then we installed Hyper-V Management Tools)Hyper-V role on Windows 10
  • Virtual Secure Mode (VSM) has to be enabled in a special policy in the Group Policy Editor (gpedit.msc): Computer Configuration -> Administrative templates -> System -> Device Guard -> Turn on Virtualization Based SecurityEnable this policy and select Secure Bootoption in Select Platform security level. Also check Enable Credential Guard (LSA isolation) here. Turn on Virtualization Based Security
  • And the last thing to do is to configure BCD to start Windows 10 in the VSM:
    bcdedit /set vsmlaunchtype auto
  • Restart your computer

How to Make Sure That the VSM Is On

You can make sure that the VSM is active if Secure System process is present in the Task Manager.
Secure System process in Task Manager
Or if there is the event “Credential Guard (Lsalso.exe) was started and will protect LSA credential” in the system log.
Credential Guard (Lsalso.exe) was started and will protect LSA credential

How to Test VSM Security

Log in with a domain account to the machines with the VSM enabled and run the following mimikatz command with the local administrator privileges:
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit
We can see that LSA is running in an isolated environment and user password hashes cannot be obtained.
mimikatz sekurlsa logonpasswords
If you do the same on a machine with the VSM disabled, we can get NTLM hash of a user password, which can be used in pass-the-hash attacks.

Comments

Post a Comment

Popular posts from this blog

sxhkd volume andbrightness config for dwm on void

xbps-install  sxhkd ------------ mkdir .config/sxhkd cd .config/sxhkd nano/vim sxhkdrc -------------------------------- XF86AudioRaiseVolume         amixer -c 1 -- sset Master 2db+ XF86AudioLowerVolume         amixer -c 1 -- sset Master 2db- XF86AudioMute         amixer -c 1 -- sset Master toggle alt + shift + Escape         pkill -USR1 -x sxhkd XF86MonBrightnessUp          xbacklight -inc 20 XF86MonBrightnessDown          xbacklight -dec 20 ------------------------------------------------------------- amixer -c card_no -- sset Interface volume run alsamixer to find card no and interface names xbps-install -S git git clone https://git.suckless.org/dwm xbps-install -S base-devel libX11-devel libXft-devel libXinerama-devel  vim config.mk # FREETYPEINC = ${X11INC}/freetype2 #comment for non-bsd make clean install   cp config.def.h config.h vim config.h xbps-install -S font-symbola #for emoji on statusbar support     void audio config xbps-i
1 comment
Read more

Hidden Wiki

Welcome to The Hidden Wiki New hidden wiki url 2015 http://zqktlwi4fecvo6ri.onion Add it to bookmarks and spread it!!! Editor's picks Bored? Pick a random page from the article index and replace one of these slots with it. The Matrix - Very nice to read. How to Exit the Matrix - Learn how to Protect yourself and your rights, online and off. Verifying PGP signatures - A short and simple how-to guide. In Praise Of Hawala - Anonymous informal value transfer system. Volunteer Here are five different things that you can help us out with. Plunder other hidden service lists for links and place them here! File the SnapBBSIndex links wherever they go. Set external links to HTTPS where available, good certificate, and same content. Care to start recording onionland's history? Check out Onionland's Museum Perform Dead Services Duties. Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you
5 comments
Read more

download office 2021 and activate

get office from here  https://tb.rg-adguard.net/public.php open powershell as admin (win+x and a ) type cmd  goto insall dir 1.         cd /d %ProgramFiles(x86)%\Microsoft Office\Office16 2.           cd /d %ProgramFiles%\Microsoft Office\Office16 try 1 or 2 depending on installation  install volume license  for /f %x in ('dir /b ..\root\Licenses16\ProPlus2021VL_KMS*.xrm-ms') do cscript ospp.vbs /inslic:"..\root\Licenses16\%x" activate using kms cscript ospp.vbs /setprt:1688 cscript ospp.vbs /unpkey:6F7TH >nul cscript ospp.vbs /inpkey:FXYTK-NJJ8C-GB6DW-3DYQT-6F7TH cscript ospp.vbs /sethst:s8.uk.to cscript ospp.vbs /act Automatic script (windefender may block it) ------------------------------------------------------------------------------------------------------------------- @echo off title Activate Microsoft Office 2021 (ALL versions) for FREE - MSGuides.com&cls&echo =====================================================================================&
Post a Comment
Read more