Intro I am beginning this series to share my vast knowledge of one of the most important Microsoft Windows Security features and how you can build layers of basic and advanced security on it to protect single and domain-joined Windows computers and servers from security vulnerabilities and attacks.
Background A few years ago, I found myself in a situation with the requirements to build a Credential Provider to provide 2-factor authentication for Windows and Server operating systems. I must confess that it wasn't easy to get resources online from Microsoft and also from third parties or anyone that has walked the same path. I am not going to talk about GINA and all its shortcomings. This guide will address only modern implementations and usages.
Samples by Microsoft Microsoft has provided a lot of samples that implements very basic features of the Credential Providers and the scenarios available but this also isn't enough to help as they're filled with comments like this:
// [The logonUI team says, "The original sample that
// this was built on top of didn't have SetSerialization. And when we decided SetSerialization was
// important enough to have in the sample, it ended up being a non-trivial amount of work to integrate
// it into the main sample. We felt it was more important to get these samples out to you quickly than to
// hold them in order to do the work to integrate the SetSerialization changes from SampleCredentialProvider
// into this sample.]
Clip from GitHub The full sample can be found here: GitHub: Windows Classic Samples
Microsoft has also provided samples for Windows 7 Credentials which can as well be compiled for other OS like Vista, Windows 10 and Windows Server variants.
Microsoft Resources
I won't be repeating any of the information Microsoft has provided already on their docs. You should read more about the concepts here:
Credential Providers in Windows 10
Winlogon and Credential Providers
The links above will give you a good idea of the setups and interfaces exposed by Windows from which you can build your security features.
Requirements
A good background of C++ and objective C.
A Windows Computer with Windows SDK and Libraries installed for various versions of Windows.
Visual Studio installed with C++ tools and other supporting packages.
A test computer or a VM running Windows. Never use your primary computer to test Windows Credential
Applications Providing additional security to Windows can be achieved through any or a combination of these:
- Password
- Pin
- Picture Swipe
- Hardware Token
- Soft Toten
- Fingerprint
- Smart Card
- Face/ iris Scan
- Quizzes, etc
You can basically create anything cool to authenticate Windows in addition to any of the listed methods above.
I am going to walk you through implementing these.