With each new release of Windows 10, Microsoft adds new features and security enhancements — and with those come new issues for IT teams. With virtualization becoming the norm for organizations, from large enterprises down to mid-size businesses, interactions and dependencies on multiple systems within an IT landscape can become mission critical, having effects on security and digital innovation.
For organizations that rely on cloud services and virtual machines, the risk of deficiencies in their IT environment increases with each new release. One such deficiency, which many organizations might not even be aware of, is that VMWare versions older than the just released version 6.7 are not supported on Windows 10 with Windows Defender Credential Guard. In this post we will discuss why this is important and what it means to your organization.
Starting with Windows 10 and Windows Server 2016, Microsoft introduced Windows Defender Credential Guard — one of the main security features of Windows-as-a-Service along with Device Guard and Secure Boot. Essentially, it protects user credentials within and across different user domains in a network.
Prior to Window 10, the Microsoft OS stored the user’s ID and password locally, while Credential Guard creates virtual containers to store domain secrets. This prevents the OS from accessing it directly by leveraging Hyper-V without the need for external virtualization. This way, Credential Guard is able to isolate sensitive data sets (i.e., user credentials) to prevent Pass-the-Hash or Pass-the-Ticket attacks. It also prevents trial and error brute force attacks with randomized full-length hashes.
Since the improved security features were one of the biggest drivers for enterprise adoption of Windows 10, being compatible with Credential Guard can satisfy a mandate from your Security Technology Infrastructure Team.
The newest iteration of VMWare, Version 6.7 was first released (limited) in April 2018 and then with a GA release in October 2018 (Update 1). This release is the first version that supports Windows 10 Credential Guard.
As you can imagine, VMWare 6.5 not supporting Credential Guard was a big bone of contention for many IT professionals. According to this whitepaper from VMWare, they worked very closely with Microsoft to provide support for Virtualization-Based Security (VBS) in the current release.
So what does that mean for you? If your organization hasn’t upgraded to the latest version of VMWare yet, you most likely fall into one of two camps (you are either running Windows 7 or Windows 10) and you have three options:
From my experience, there are generally three reasons why an organization will not go through the expense to upgrade to the latest version of VMWare.
First, they are unaware that this issue even exists. IT departments at large enterprises generally have so many balls up in the air, like fulfilling the demands of their C-Level management to drive or support their company’s Digital Transformation initiatives or just managing the daily flood of support tickets. Unless the issue is brought to the right person’s attention, it will continue to go unnoticed — until it is too late.
Second, if it isn’t broke, don’t fix it. Many organizations have been running their virtual landscape without any major issues and are happy with the current performance. Even though they might be aware of the benefits of an upgrade, they don’t see the possible risk as being worth the investment in upgrading.
The third and final reason is that enterprises just move slowly. It was not uncommon for enterprises to take 2+ years when they upgraded to Windows 7. Plus, we have seen that the organizations that have made the upgrade to Windows 10 have given so much push-back to Microsoft that the EOL dates of the earlier versions of Windows 10 have been pushed out multiple times.
Whatever your situation, you will want to be on the latest version of Windows 10 with Credential Guard switched on to take advantage of the best security features a Microsoft OS has ever had to offer! Considering that the average data breach costs an organization around $3.2 million and the number of massive cyber attacks will only increase in 2019, upgrading your hardware, OS, and VMWare is money well spent.