Spectre. Have you enabled or just installed the patches?

Image: Spectre and Meltdown icons
By Peter Holland on

Spectre and Meltdown.  A lot has been said about the risks and potential effects of these . However, amongst all the noise around the status of firmware, patches, performance impact and so on, there is something that has maybe not been made clear enough. And that is that the difference in how the Microsoft patches are applied to client and Server OS.

On the client OS, Microsoft provides the following information (quite a way down the information page):

 

Image: Spectre Security fix enablement message

 

Whereas, on the Server patch information page Microsoft provides the following tit-bit:

 

Image: Enabling protections on the server message

 

Having talked to a number of organisations about patching, or brought up the Spectre patches with them whilst discussing other topics, it has become evident that some organisations that look after their own patching have rushed to push the patches out to the server environment … and that is all.

 

What needs to be done to protect you from Spectre?

The Server OS Spectre patches need a few registry keys to be set, and another system reboot, in order to actually enable the functionality of the patches (mitigate the vulnerability).

As per the above linked Microsoft Support article, the registry keys that are needed to enable the vulnerability mitigation are:

Two DWORD keys in registry path “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”

  • FeatureSettingsOverride = 0
  • FeatureSettingsOverrideMask = 3

One String key in registry path “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization”

  • MinVmVersionForCpuBasedMitigations = 1.0

 

This will not be done for you automatically!

 

Inevitably this needs to be deployed through a centralised, manageable approach, and one where you can obtain some reporting to confirm that this has been set and applied. The methods I have used so far to deploy these settings are:

  • Group Policy Object (GPO) – preference setting
  • SCCM – PowerShell/CMD script
  • Intune – PowerShell script

Simply put, the command that you need to run, or a variant depending on the tools used such as native PowerShell cmdlets such as new-childitem, are the following, which Microsoft have provided in the support article:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management” /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization” /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d “1.0” /f

The benefit of using SCCM or Intune to deploy these settings, is the ability to add validation, confirming that the registry keys have taken.

 

Protection validation

Microsoft has very helpfully provided a standalone PowerShell module “SpeculationControl” which performs checks on the current patching and configuration of the Server or client and reports what state of protection is currently enabled.

Image: WIndows PowerShell screen

Unfortunately, this module doesn’t support execution against remote hosts, so to run full validation of the environments protection status will require further scripting to install, import, run, validate, and report on the status output of the SpeculationControl module.

What about firmware?

Unfortunately, it is still true that you cannot fully mitigate Spectre and Meltdown without hardware support from the CPU vendor, and even then, aspects of these vulnerabilities, especially Meltdown, are expected to require a new generation of CPU hardware design.
It is believed that attacks are starting to enter the wild making use of these vulnerabilities, targeting unpatched, and un-patchable systems, the overall message is:

Install the patches, enable the protection, update your firmware, protect yourselves.

 

What can’t be protected?

Microsoft are not releasing patches or protection for certain platforms, some not as old as you might think. If your OS is not up to date with Windows Updates, even Server 2016 and Windows 10, it will not receive the patches.

The following will not be getting patches or protection from these vulnerabilities:

  • Window Server 2012
  • Windows Server 2008 and older
  • Windows 8
  • Windows 7 RTM and older.

If your organisation is running any of these Operating Systems, it is strongly recommended to start on a migration plan towards updating to current OS (2016) or remove these from operation as a matter of urgency.

 

How can Silversands help?

Silversands has a strong history and capability with Server platform migrations and can undertake consultancy with migrating varied workloads to modern Server platforms, or IAAS/PAAS infrastructures. Further, through Systems Management consultancy, Silversands can implement update and system changes and validation reporting to ensure peace of mind regarding the rollout of protection against these vulnerabilities.
Silversands Managed Services can also provide management, reporting, advice, and take control of your internal patching and maintenance if required, ensuring that nuances with specific vulnerabilities such as this are not overlooked.
Microsoft provides a significant array of security services and products, which Silversands expertise can be leveraged to design, deploy, and manage to protect and enable your organisation in the modern world.

As always, it’s prudent to keep up to date on security issues and with patches and software updates. If you have an immediate need for help please complete the contact form. We also post regular blogs about security so please do follow us.

Icon: LinkedInIcon: twitter bird

Contact us

  • This field is for validation purposes and should be left unchanged.

We have the expertise and the experience to provide specialist solutions and drive your business forward

Get in touch