L
lalaJee
We have servers running MS Windows Server 2012 / 2012 R2. The servers dont have Hyper-V feature enabled/install. its vmware 6.5 on UCS boxs
According to https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013 we should install 2019-05 Monthly Rollup which provides protections against these new Intel CPU vulnerabilities. we have Oct 2019 isntalled which it does superseed may 2019
To enable the protection in Windows Server we should also set some registry settings as specified on https://support.microsoft.com/en-us/help/4072698/
So, I installed the 2019-05 Monthly Rollup (KB4499151) on MS Windows Server 2012 R2 and 2019-05 Monthly Rollup (KB4499171) on MS Windows Server 2012.
Also, I run the following commands on the servers to set values in the Registry which should enable the MDS mitigation:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
The installation finished successfully and the servers started fine after reboot.
I used Get-SpeculationControlSettings script v. 1.0.14 to query the speculation control settings on the systems. The script is available on SpeculationControl 1.0.14 and the script output is explained on https://support.microsoft.com/en-us/help/4074629/
In PowerShell 5.1 I first installed the module with:
Install-Module -Name SpeculationControl
and then run
Get-SpeculationControlSettings
I get the following script output:
...
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
...
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
Here I do not understand why the script reports "Windows OS support for MDS mitigation is enabled: False" (and "MDSWindowsSupportEnabled : False").
Regarding MDSWindowsSupportEnabled https://support.microsoft.com/en-us/help/4074629/ explains:
This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.
On the servers:
- Install the latest version of BIOS which fix these issue "CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2019-11091"
- Windows operating system support is present: 2019-10 Monthly Rollup installed
- the mitigation has been enabled (Registry settings exist)
So, the script should report "MDSWindowsSupportEnabled : True".
Is anybody able to test this in similar hardware and OS environments?
Running SCCM conpliance report.
Non-Compliant Rules:
Continue reading...
According to https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013 we should install 2019-05 Monthly Rollup which provides protections against these new Intel CPU vulnerabilities. we have Oct 2019 isntalled which it does superseed may 2019
To enable the protection in Windows Server we should also set some registry settings as specified on https://support.microsoft.com/en-us/help/4072698/
So, I installed the 2019-05 Monthly Rollup (KB4499151) on MS Windows Server 2012 R2 and 2019-05 Monthly Rollup (KB4499171) on MS Windows Server 2012.
Also, I run the following commands on the servers to set values in the Registry which should enable the MDS mitigation:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
The installation finished successfully and the servers started fine after reboot.
I used Get-SpeculationControlSettings script v. 1.0.14 to query the speculation control settings on the systems. The script is available on SpeculationControl 1.0.14 and the script output is explained on https://support.microsoft.com/en-us/help/4074629/
In PowerShell 5.1 I first installed the module with:
Install-Module -Name SpeculationControl
and then run
Get-SpeculationControlSettings
I get the following script output:
...
Speculation control settings for MDS [microarchitectural data sampling]
Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: False
...
MDSWindowsSupportPresent : True
MDSHardwareVulnerable : True
MDSWindowsSupportEnabled : False
Here I do not understand why the script reports "Windows OS support for MDS mitigation is enabled: False" (and "MDSWindowsSupportEnabled : False").
Regarding MDSWindowsSupportEnabled https://support.microsoft.com/en-us/help/4074629/ explains:
This line tells you if the Windows operating system mitigation for Microarchitectural Data Sampling (MDS) is enabled. If it is True, the hardware is believed to be affected by the MDS vulnerabilities, the windows operating support for the mitigation is present, and the mitigation has been enabled. If it is False, either the hardware is not vulnerable, Windows operating system support is not present, or the mitigation has not been enabled.
On the servers:
- Install the latest version of BIOS which fix these issue "CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2019-11091"
- Windows operating system support is present: 2019-10 Monthly Rollup installed
- the mitigation has been enabled (Registry settings exist)
So, the script should report "MDSWindowsSupportEnabled : True".
Is anybody able to test this in similar hardware and OS environments?
Running SCCM conpliance report.
Non-Compliant Rules:
| Setting Name | Setting Type | Setting Description | Rule Name | Rule Description | Severity | Instance Data | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Windows OS support for MDS mitigation is enabled | Script | If it is True, the Windows operating system support is present and either the hardware is not vulnerable or the mitigation has been enabled. If it is False, the windows operating system support for the mitigation is not present, or the hardware is believed to be affected by the MDS vulnerabilities and the mitigation has not been enabled. | Check whether Windows OS support for MDS mitigation is enabled | Compliant if the Windows operating system support is present and either the hardware is not vulnerable or the mitigation has been enabled, which equals to "MDSWindowsSupportEnabled: True" from Get-SpeculationControlSettings. Non-compliant if the windows operating system support for the mitigation is not present, or the hardware is believed to be affected by the MDS vulnerabilities and the mitigation has not been enabled, which equals to "MDSWindowsSupportEnabled: False" from Get-SpeculationControlSettings. | Critical |
|
Continue reading...