Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser # Reset the execution policy to the original state Set-ExecutionPolicy RemoteSigned -Scope Currentuser $SaveExecutionPolicy = Get-ExecutionPolicy # Save the current execution policy so it can be reset # Run the PowerShell module to validate the protections are enabled If you are using Server 2016 or have Windows Management Framework (WMF) 5.0+ installed you can use the following script Windows Clients Speculative Execution Side-channel Vulnerabilities Windows Server Speculative Execution Side-channel Vulnerabilities I will be mainly focused on Server versions however. I used the following guidance from Microsoft for these, and treated Clients and Server versions differently. What official resources can I get information for these from? This varies based on every model and CPU – you should ideally implement the fixes first by hand, test the fix for a while, and then decide if you will roll it out to your organization. Most manufacturers have given rough estimates of up to 20-30% degradation in performance. Will patching the vulnerability affect my system performance? PS C:\WINDOWS\system32> Get-WMIObject win32_processor | select -ExpandProperty Numberofcores PS C:\WINDOWS\system32> Get-WMIObject win32_processor | select -ExpandProperty Numberoflogicalprocessors If these values are different then Hyper-Threading is enabled. You can check by comparing these two values – NumberofLogicalProcesses and NumberofCores. If Hyper-threading is enabled, its better to disable it. If you dont want to do that, you need to then use the registry keys with Hyper-threading enabled specifically. To fully mitigate these attack vectors you should disable Hyper-Threading. L1TF and MDS vulnerabilities exist because of Hyper-Threading being present. Intel Hyper-Threading Related Vulnerabilities If you have Hyper-Threading enabled, there is a different registry key when compared to a Intel CPU without HT on. There is some additional work for an Intel CPU with Hyper-Threading (HT) enabled or not. In this blog post I want to consolidate all that info and make it easy to patch in a larger environment without the manual hassle. To summarize it though, you generally need to ensure that the latest firmware has been installed on your motherboard, your operating system should be patched with the latest security updates and optionally some manufacturers have released specific fixes. If you are using either an AMD, Intel, or ARM processor it will differ how you will protect yourself. If you are running any OS that’s older, you will need to make the changes I am recommending below. However, its important to note that Server 2019 has some of the registry keys “switched on” by default. Since these vulnerabilities are linked to the CPU, you can pretty much assume that every OS will be vulnerable. Which Operating Systems are affected by the speculative execution side-channel attack? There have been numerous vulnerabilities linked to the same core-issue but they are treated as individual CVE’s and as such have their own fixes. Both of these leveraged a cache-based vulnerability in modern-day CPU’s. ![]() The main side-channel attack we refer to in IT are more specifically the Spectre and Meltdown vulnerabilities. What is the side-channel attack we need to be aware of?
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |