问题

凭证守卫

b
徽章 +1
可以通过GPO启用凭证守护,以供在AHV中运行的2016年服务器?还是仅适用于在HyperV主机上运行的服务器?

    5个答复

    s
    我也想学习这一点。我认为AHV不支持它。这是我到目前为止发现的

    https://docs.microsoft.com/en-us/windows/security/indesity-protection/credential-guard/credential-guard-requirentess

    硬件和软件要求

    为了提供针对OS级别的基本保护,试图阅读凭据Manager域凭据,NTLM和Kerberos衍生的凭据,Windows Defender凭据Guard使用:
    • 支持基于虚拟化的安全性(必需)
    • 固定靴子(必需)
    • TPM 1.2或2.0,无论是离散或固件(首选 - 提供对硬件的绑定)
    • UEFI锁(首选 - 防止攻击者使用简单的注册表密钥更改禁用)
    https://portal.nutanix.com/#/page/docs/details?targetID=AHV-ADMIN-GUIDE-V51:VMM-VM-VM-VM-DRIVER-DRIVER-TYPES-R.HTML

    统一的可扩展固件接口(UEFI)支持来宾VM

    AHV不支持在UEFI模式下创建的VM。
    \r\n
    \r\nhttps:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/credential-guard-requirements<\/a>
    \r\n
    \r\n

    Hardware and software requirements<\/h2>To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
    \r\n

    s
    现在应该已经改变了。显然,您可以设置“ uefi_boot = true” ..如果起作用,请分享。我也希望为AHV VM设置凭证守护。

    https://portal.nutanix.com/#/page/docs/details?targetId=amf_guide-acr_v4_6:vm__vm__vm_driver_types_r.html

    “ SSH进入Nutanix accolis并运行以下命令:acli vm.update uefi_boot = true。”
    https://docs.citrix.com/en-us/provisioning/current-release/citrix-provisioning-1909.pdf
    s
    徽章 +3

    没有人回馈吗?

    显然,VMware也支持这一点:

    https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-security-credential-credential-guard-vsphere-6-7.html

    那么,有人将其用于AHV吗?

    阿罗纳
    秩
    UserLevel 6
    徽章 +5

    嗨,Stevecharon和 @sunilm

    Windows Defender凭证守卫的支持肯定即将到来。我现在无法透露细节。我只能说很快。

    我还想鼓励您查看与您正在运行的版本最相关的文档。

    自5.11以来,UEFI Guest VM得到了支持。AHV管理指南5.15:UEFI对VM的支持。

    Hi stevecharon and @SunilM<\/user-mention><\/p>

    Support of Windows Defender Credential Guard is definitely coming. I am not able to disclose the details right now. All I can say is soon.<\/p>

    I would like to also encourage you to look at the document that is the most relevant to the version you are running on.<\/p>

    UEFI guest VMs have been supported since 5.11.\u00a0 AHV Administration Guide 5.15: UEFI Support for VM.<\/a><\/p>","quoteUsername":"Alona","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

    j

    Nutanix VM上的凭证守护状态是什么?我已经使用UEFI创建了一个新的VM,启用了Secure Boot和启用凭证Guard,但我无法正常工作。GPO启用了凭证守卫,但仍不会运行。当我查看设备安全性时,它说“不支持标准硬件安全性”,并且TPM.MSC中没有兼容TPM。

    What is the status of Credential Guard on Nutanix VMs? I have created a new VM with UEFI, Secure boot and Credential Guard enabled, but I can\u2019t get it to work. Credential Guard\u00a0is enabled with GPO, but still will not run. When I look at device security, it says \u201cStandard hardware security not supported\u201d and there is no compatible TPM shown in tpm.msc.<\/p>","quoteUsername":"jshaw7","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

    回复


    Baidu