We are using VBS (Credential Guard and HVCI) on all our new servers, that are running on VMware.
Its a really cool feature, but we are limited by the fact, that we cant hot-add memory on our SQL servers.
Hot-add memory and CPU will not operate for Windows virtual machines when Virtualization Based Secur...
So im trying to figure out, how big the risk is, of disabling it from a handful of SQL Servers.
From my understanding, we would be vulnerable to:
1. Dumping the lsass process, and perform a NTLM attack
(Our SQL Servers are very limited to who can access them, and they are automatically logged out after 6 hours of inactivity - also SQL Management studio isnt installed on the SQL Server - so people never RDP to them)
2. Memory injections - Memory integrity enablement | Microsoft Learn
Im not saying that these things are not serious, but from my understanding, the attack surface is very small on the SQL Servers - since we have already taken several other security measures, to further limit potential exploits based on Microsofts best practice.