The harvest and reuse of symmetric credentials has become a linchpin of system breaches. Under the guise of Pass-the-Hash, attackers are adept at reusing not only passwords, but derivatives such as hashes and keys. Windows 10 brings strong isolation of these artifacts, defeating Pass-the-Hash attacks originating from clients.
Legacy protocols such as Kerberos and NTLM are broadly deployed and will be vulnerable to attack for many years to come. Business needs dictate that Pass-the-Hash mitigations must work within the limitations of these protocols. In such an environment, how can Pass-the-Hash be stopped?The answer is a new level of OS isolation, based on virtualization technology. Hashes, keys, and other secrets are sequestered within physical memory not even the kernel may read. If an attacker cannot read the secrets, the attacker cannot reuse them.In this talk, we give an overview of the isolation technology. In addition, we answer questions such as: How does Windows 10 guarantee isolation of secrets? How does this go beyond simple client security? Can this even be achieved without major protocol revisions?