none
Windows Server guidance to protect against speculative execution side-channel vulnerabilities RRS feed

  • Question

  • Hello,

    I am working on a server security report and looking at this link: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot

    I follow the instruction to enable mitigations for CVE-2017-5715 and applied these registry changes:

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    I run the Get-SpeculationControlSettings and see the line "Windows OS Support for branch target injection mitigation is disabled by system policy is still showing FALSE - Please see the attached.  

    Anyone who knows please advise.  

    Friday, November 15, 2019 9:12 PM

All replies

  • Hi,

    If you have performed registry changes, you'll most likely need to restart the computer for the changes to take effect.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Saturday, November 16, 2019 4:17 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, we enable mitigations for CVE-2017-5715 (Spectre Variant 2) and CVE-2017-5754 (Meltdown) through the following two registry entries:



    Then we got the result :

    Windows OS Support for branch target injection mitigation is disabled by system policy=>Faulse.

    I think we got the correct result.


    From the article Understanding Get-SpeculationControlSettings PowerShell script output, we can see:

    Maps to BTIDisabledBySystemPolicy. This line tells you if the branch target injection mitigation has been disabled by system policy (such as an administrator-defined policy). System policy refers to the registry controls as documented inKB 4072698. If it is True, the system policy is responsible for disabling the mitigation. If it is False, the mitigation is disabled by a different cause.

    We want to enable mitigations through registry, but we can not enabled it through registry, because mitigations is disabled by absence of hardware support.


    Here are the explainations for our results:

    1. Hardware support for branch target injection mitigation is present: False (if Hardware supports, it is true; because hardware does not support, so it is Faulse)
    2. Windows OS support for branch target injection mitigation is present: True (Yes, it is present and it is Faulse)
    3. Windows OS support for branch target injection mitigation is enabled: False (because hardware does not support, so it is Faulse)
    4. Windows OS support for branch target injection mitigation is disabled by system policy: False (the mitigation is disabled by a different cause(that is hardware), so it is Faulse; if it is disabled by system policy, it is Ture)
    5. Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True (the mitigation is disabled by a different cause(that is hardware)).



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 6:25 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 20, 2019 3:19 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 

    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 10:41 AM
    Moderator