Risk of disabling VBS

Kristian Leth 16 Reputation points
2023-03-21T07:27:53.4533333+00:00

Hi,

 

We are using VBS (Credential Guard and HVCI) on all our new servers, that are running on VMware.

Its a really cool feature, but we are limited by the fact, that we cant hot-add memory on our SQL servers.

Hot-add memory and CPU will not operate for Windows virtual machines when Virtualization Based Secur...

 

So im trying to figure out, how big the risk is, of disabling it from a handful of SQL Servers.

From my understanding, we would be vulnerable to:

  1. Dumping the lsass process, and perform a NTLM attack

(Our SQL Servers are very limited to who can access them, and they are automatically logged out after 6 hours of inactivity - also SQL Management studio isnt installed on the SQL Server - so people never RDP to them)

 

  1. Memory injections - Memory integrity enablement | Microsoft Learn

 

Im not saying that these things are not serious, but from my understanding, the attack surface is very small on the SQL Servers - since we have already taken several other security measures, to further limit potential exploits based on Microsofts best practice.

 

Any thoughts?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,127 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,721 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,931 Reputation points
    2023-03-21T15:15:31.3633333+00:00

    Hello there,

    HVCI is a feature that uses VBS to conduct integrity checks on programs. In simple words, attackers have a tough time when VBS is active. So, turning it off leaves you exposed to kernel-level attacks. If you are someone who uses their system for confidential official work, it is best to keep VBS enabled.

    Virtualization-based security, or VBS, uses hardware virtualization and the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised.

    https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--