With each new release of Windows 10, Microsoft adds new features and security enhancements — and with those come new issues for IT teams. With virtualization becoming the norm for organizations, from large enterprises down to mid-size businesses, interactions and dependencies on multiple systems within an IT landscape can become mission critical, having effects on security and digital innovation.
For organizations that rely on cloud services and virtual machines, the risk of deficiencies in their IT environment increases with each new release. One such deficiency, which many organizations might not even be aware of, is that VMWare versions older than the just released version 6.7 are not supported on Windows 10 with Windows Defender Credential Guard. In this post we will discuss why this is important and what it means to your organization.
What Is Credential Guard? Why Is It Important?
Starting with Windows 10 and Windows Server 2016, Microsoft introduced Windows Defender Credential Guard — one of the main security features of Windows-as-a-Service along with Device Guard and Secure Boot. Essentially, it protects user credentials within and across different user domains in a network.
Prior to Window 10, the Microsoft OS stored the user’s ID and password locally, while Credential Guard creates virtual containers to store domain secrets. This prevents the OS from accessing it directly by leveraging Hyper-V without the need for external virtualization. This way, Credential Guard is able to isolate sensitive data sets (i.e., user credentials) to prevent Pass-the-Hash or Pass-the-Ticket attacks. It also prevents trial and error brute force attacks with randomized full-length hashes.
Since the improved security features were one of the biggest drivers for enterprise adoption of Windows 10, being compatible with Credential Guard can satisfy a mandate from your Security Technology Infrastructure Team.
The Disconnect Between VMWare & Windows 10
The newest iteration of VMWare, Version 6.7 was first released (limited) in April 2018 and then with a GA release in October 2018 (Update 1). This release is the first version that supports Windows 10 Credential Guard.
As you can imagine, VMWare 6.5 not supporting Credential Guard was a big bone of contention for many IT professionals. According to this whitepaper from VMWare, they worked very closely with Microsoft to provide support for Virtualization-Based Security (VBS) in the current release.
So what does that mean for you? If your organization hasn’t upgraded to the latest version of VMWare yet, you most likely fall into one of two camps (you are either running Windows 7 or Windows 10) and you have three options:
- If you are on Windows 7 and you have ample budget: Migrate to Windows 10, upgrade VMWare to 6.7, and do a hardware refresh for your older devices. The improved efficiency and security from these updates will be well worth the investment.
- You are still on Windows 7 but budget is tight: Since the clock is really ticking before extended Windows 7 support runs out in January 2020, migrating to Windows 10 should take precedent. During this upgrade, if any devices/hardware are going to be refreshed as well, make sure the new machines meet the minimum requirements for VMWare 6.7, which are more stringent than those for Windows 10.
- If your organization is already on Windows 10:
- Your end users can work on physical machines or even remote into a VMWare 6.5 host that is built on Windows 10 with Credential Guard enabled, however, this scenario is not officially supported, so if they have to log a support call, VMWare is likely going to tell them they have to upgrade to version 6.7.
- In addition, users can still build virtual hosts on earlier version of VMware on Windows 10 but most likely they will not be able to switch on Credential Guard. Consequently, you should make upgrading to VMWare 6.7 a priority, and an audit should be done to see if your devices meet the minimum requirements. Hopefully, when you made the migration to Windows 10, obsolete machines were upgraded then.
Roadblocks to Upgrading
From my experience, there are generally three reasons why an organization will not go through the expense to upgrade to the latest version of VMWare.
First, they are unaware that this issue even exists. IT departments at large enterprises generally have so many balls up in the air, like fulfilling the demands of their C-Level management to drive or support their company’s Digital Transformation initiatives or just managing the daily flood of support tickets. Unless the issue is brought to the right person’s attention, it will continue to go unnoticed — until it is too late.
Second, if it isn’t broke, don’t fix it. Many organizations have been running their virtual landscape without any major issues and are happy with the current performance. Even though they might be aware of the benefits of an upgrade, they don’t see the possible risk as being worth the investment in upgrading.
The third and final reason is that enterprises just move slowly. It was not uncommon for enterprises to take 2+ years when they upgraded to Windows 7. Plus, we have seen that the organizations that have made the upgrade to Windows 10 have given so much push-back to Microsoft that the EOL dates of the earlier versions of Windows 10 have been pushed out multiple times.
Whatever your situation, you will want to be on the latest version of Windows 10 with Credential Guard switched on to take advantage of the best security features a Microsoft OS has ever had to offer! Considering that the average data breach costs an organization around $3.2 million and the number of massive cyber attacks will only increase in 2019, upgrading your hardware, OS, and VMWare is money well spent.