VMware Cloud Community

Risk of disabling VBS



We are using VBS (Credential Guard and HVCI) on all our new servers, that are running on VMware.

Its a really cool feature, but we are limited by the fact, that we cant hot-add memory on our SQL servers.

Hot-add memory and CPU will not operate for Windows virtual machines when Virtualization Based Secur...


So im trying to figure out, how big the risk is, of disabling it from a handful of SQL Servers.

From my understanding, we would be vulnerable to:

1. Dumping the lsass process, and perform a NTLM attack

(Our SQL Servers are very limited to who can access them, and they are automatically logged out after 6 hours of inactivity - also SQL Management studio isnt installed on the SQL Server - so people never RDP to them)


2. Memory injections - Memory integrity enablement | Microsoft Learn


Im not saying that these things are not serious, but from my understanding, the attack surface is very small on the SQL Servers - since we have already taken several other security measures, to further limit potential exploits based on Microsofts best practice.


Any thoughts?

0 Kudos
0 Replies