2015-12-16 17:27 AEST by Arthur Barrett - test Microsoft 'credential guard' with CVSNT client / server and SSPI

Devastating’ flaw found in Windows’ authentication system -recommend 'credential guard' 
http://theregister.co.uk/2015/12/15/devastating_flaw_in_windows_authentication/ 

The 'credential guard' seems to be new in Windows 10 enterprise:
https://technet.microsoft.com/en-us/library/mt483740(v=vs.85).aspx

By deploying authentication policies with compound authentication in Windows Server 2012 R2 or 
later domains, users can be restricted to only sign on from specific domain-joined devices. However, 
since devices also use shared secrets for authentication, attackers can steal those secrets as well. 

By deploying device certificates with Credential Guard, authentication policies can require that the 
device authenticates with its private key. This prevents shared secrets on stolen devices to be used 
with stolen user passwords or Kerberos secret keys to sign on as the user.

Device certificate authentication has the following requirements:

- Device domains are Windows Server 2012 or higher and all domain controllers have certificates, 
which satisfy strict KDC validation (KDC EKU present and the DNS domain name matches the 
DNSName field of the SubjectAltName (SAN) extension).

- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.

- A process is established to ensure the identity and trustworthiness of the device in a similar manner 
as you would establish the identity and trustworthiness of a user before issuing them a smart card.