问题

凭证守卫

b
徽章 +1
可以通过GPO启用凭证守护,以供在AHV中运行的2016年服务器?还是仅适用于在HyperV主机上运行的服务器?
    该主题已关闭以供评论

    5个答复

    s
    我也想学习这一点。我认为AHV不支持它。这是我到目前为止发现的

    https://docs.microsoft.com/en-us/windows/security/indesity-protection/credential-guard/credential-guard-requirentess

    硬件和软件要求

    为了提供针对OS级别的基本保护,试图阅读凭据Manager域凭据,NTLM和Kerberos衍生的凭据,Windows Defender凭据Guard使用:
    • 支持基于虚拟化的安全性(必需)
    • 固定靴子(必需)
    • TPM 1.2或2.0,无论是离散或固件(首选 - 提供对硬件的绑定)
    • UEFI锁(首选 - 防止攻击者使用简单的注册表密钥更改禁用)
    https://portal.nutanix.com/#/page/docs/details?targetID=AHV-ADMIN-GUIDE-V51:VMM-VM-VM-VM-DRIVER-DRIVER-TYPES-R.HTML

    统一的可扩展固件接口(UEFI)支持来宾VM

    AHV不支持在UEFI模式下创建的VM。
    \r\n
    \r\nhttps:\/\/docs.microsoft.com\/en-us\/windows\/security\/identity-protection\/credential-guard\/credential-guard-requirements<\/a>
    \r\n
    \r\n

    Hardware and software requirements<\/h2>To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
    \r\n

    s
    现在应该已经改变了。显然,您可以设置“ uefi_boot = true” ..如果起作用,请分享。我也希望为AHV VM设置凭证守护。

    https://portal.nutanix.com/#/page/docs/details?targetId=amf_guide-acr_v4_6:vm__vm__vm_driver_types_r.html

    “ SSH进入Nutanix accolis并运行以下命令:acli vm.update uefi_boot = true。”
    https://docs.citrix.com/en-us/provisioning/current-release/citrix-provisioning-1909.pdf
    s
    徽章 +3

    没有人回馈吗?

    显然,VMware也支持这一点:

    https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-security-credential-credential-guard-vsphere-6-7.html

    那么,有人将其用于AHV吗?

    阿罗纳
    秩
    UserLevel 6
    徽章 +5

    嗨,Stevecharon和 @sunilm

    Windows Defender凭证守卫的支持肯定即将到来。我现在无法透露细节。我只能说很快。

    我还想鼓励您查看与您正在运行的版本最相关的文档。

    自5.11以来,UEFI Guest VM得到了支持。AHV管理指南5.15:UEFI对VM的支持。

    Hi stevecharon and @SunilM<\/user-mention><\/p>

    Support of Windows Defender Credential Guard is definitely coming. I am not able to disclose the details right now. All I can say is soon.<\/p>

    I would like to also encourage you to look at the document that is the most relevant to the version you are running on.<\/p>

    UEFI guest VMs have been supported since 5.11.\u00a0 AHV Administration Guide 5.15: UEFI Support for VM.<\/a><\/p>","quoteUsername":"Alona","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

    j

    Nutanix VM上的凭证守护状态是什么?我已经使用UEFI创建了一个新的VM,启用了Secure Boot和启用凭证Guard,但我无法正常工作。GPO启用了凭证守卫,但仍不会运行。当我查看设备安全性时,它说“不支持标准硬件安全性”,并且TPM.MSC中没有兼容TPM。

    What is the status of Credential Guard on Nutanix VMs? I have created a new VM with UEFI, Secure boot and Credential Guard enabled, but I can\u2019t get it to work. Credential Guard\u00a0is enabled with GPO, but still will not run. When I look at device security, it says \u201cStandard hardware security not supported\u201d and there is no compatible TPM shown in tpm.msc.<\/p>","quoteUsername":"jshaw7","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
    条款和条件
    Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
    Functional","cookiepolicy.modal.level2":"Normal
    Functional + analytics","cookiepolicy.modal.level3":"Complete
    Functional + analytics + social media + embedded videos"}}}">
    Baidu