R
rpr.nospam
We have servers running MS Windows Server 2012 / 2012 R2. The servers have Intel Xeon E5-2450 v2 and Xeon E5-2420 CPUs. The servers have Hyper-V feature enabled.
According to https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html these CPUs have Microarchitectural Data Sampling vulnerabilities.
According to https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013 we should install 2019-05 Monthly Rollup which provides protections against these new Intel CPU vulnerabilities.
To enable the protection in Windows Server we should also set some registry settings as specified on https://support.microsoft.com/en-us/help/4072698/
So, I installed the 2019-05 Monthly Rollup (KB4499151) on MS Windows Server 2012 R2 and 2019-05 Monthly Rollup (KB4499171) on MS Windows Server 2012.
Also, I run the following commands on the servers to set values in the Registry which should enable the MDS mitigation:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
The installation finished successfully and the servers started fine after reboot.
I used Get-SpeculationControlSettings script v. 1.0.14 to query the speculation control settings on the systems. The script is available on https://www.powershellgallery.com/packages/SpeculationControl/1.0.14 and the script output is explained on https://support.microsoft.com/en-us/help/4074629/
In PowerShell 5.1 I first installed the module with:
Install-Module -Name SpeculationControl
and then run
Get-SpeculationControlSettings
I get the following script output:
...
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
...
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
Here I do not understand why the script reports "Windows OS support for MDS mitigation is enabled: False" (and "MDSWindowsSupportEnabled : False").
Regarding MDSWindowsSupportEnabled https://support.microsoft.com/en-us/help/4074629/ explains:
This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.
On the servers:
- hardware is vulnerable (Intel Xeon CPUs)
- Windows operating system support is present: 2019-05 Monthly Rollup (KB4499151) installed
- the mitigation has been enabled (Registry settings exist)
So, the script should report "MDSWindowsSupportEnabled : True".
Is anybody able to test this in similar hardware and OS environments?
Continue reading...
According to https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html these CPUs have Microarchitectural Data Sampling vulnerabilities.
According to https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013 we should install 2019-05 Monthly Rollup which provides protections against these new Intel CPU vulnerabilities.
To enable the protection in Windows Server we should also set some registry settings as specified on https://support.microsoft.com/en-us/help/4072698/
So, I installed the 2019-05 Monthly Rollup (KB4499151) on MS Windows Server 2012 R2 and 2019-05 Monthly Rollup (KB4499171) on MS Windows Server 2012.
Also, I run the following commands on the servers to set values in the Registry which should enable the MDS mitigation:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
The installation finished successfully and the servers started fine after reboot.
I used Get-SpeculationControlSettings script v. 1.0.14 to query the speculation control settings on the systems. The script is available on https://www.powershellgallery.com/packages/SpeculationControl/1.0.14 and the script output is explained on https://support.microsoft.com/en-us/help/4074629/
In PowerShell 5.1 I first installed the module with:
Install-Module -Name SpeculationControl
and then run
Get-SpeculationControlSettings
I get the following script output:
...
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
...
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
Here I do not understand why the script reports "Windows OS support for MDS mitigation is enabled: False" (and "MDSWindowsSupportEnabled : False").
Regarding MDSWindowsSupportEnabled https://support.microsoft.com/en-us/help/4074629/ explains:
This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.
On the servers:
- hardware is vulnerable (Intel Xeon CPUs)
- Windows operating system support is present: 2019-05 Monthly Rollup (KB4499151) installed
- the mitigation has been enabled (Registry settings exist)
So, the script should report "MDSWindowsSupportEnabled : True".
Is anybody able to test this in similar hardware and OS environments?
Continue reading...