Why you should not enable Credential Guard on Domain Controllers?


Credential guard protects the credential derivatives like NTLM hash and Kerberos tickets; this TechNet article has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following:

Warning
Enabling Credential Guard on domain controllers is not supported. The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.

I would like to share my learnings on why you should not enable Credential Guard on Domain Controllers.

Credential guard protects credentials in LSASS memory; it does not protect credentials stored on disks. On domain controllers, it does not protect credentials that are stored in the active directory SAM database.

In a production environment, you should restrict user access to a domain controller in order to protect the assets on that domain controller. If someone manages to get (unauthorized) access to it, and able to retrieve information in LSASS memory, that means the person already acquired domain admin privilege, and Credential Guard adds no value in that case.

Given that there is no added security benefit, we decided not to support Credential Guard on domain controllers.


Comments (0)

Skip to main content