none
Meltdown and Spectre CPU flaws

    Question

  • Hi,

    Anyone aware of mitigation options for Windows servers OS? Looks like hardware vendors are still working to figure out fixes.

    Thursday, January 4, 2018 10:59 AM

Answers

  • Hi Anne,

    Could you please confirm if these registry keys needs to be applied to servers irrespective of whether we use Hyper-v or Remote Desktop Services Hosts(RDSH) as suggested in the above article? Also should we apply these reg keys to both physicals and virtuals?

    Regards,

    Kanthi.

    Hi Kanthi.kota,

    The following steps are required to ensure that your virtual machines are protected:

    1. Update the host operating system.
    2. Ensure the virtualization host has been updated to firmware which contains updates for CVE-2017-5715.
    3. Ensure Hyper-V is configured to expose new processor capabilities to guest virtual machines. (Set registry keys on the Hyper V host)
    4. Update the guest operating system as required.
    5. Perform a cold boot of guest virtual machines.

    So, set the registry keys on the Hyper V host.

    Please check the following article for detailed information:

    https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 10, 2018 8:55 AM
    Moderator
  • Hi Kanthi,

    Yes, as following guidance suggested, we need to use these registry keys to enable the mitigations on the Hyper-V server and RDSH Server.

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    We only need to perform those change on Server (Physical and virtual), for client version, the Jan monthly update will enable mitigations.

    BTW, share another good article here FYI.

    https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Wednesday, January 10, 2018 8:59 AM

All replies

  • i also got same infomation. help me how we keep our system safe .
    Thursday, January 4, 2018 12:56 PM
  • Microsoft has released a patch - https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890

    I believe the above is for what is being called 'Meltdown' in the press.  I haven't seen a name for the second bug announced today, so that may be what you are calling Spectra.  Microsoft does not discuss what security issues it is working on, but you can be sure that as soon as it is possible, Microsoft will release a patch for any security flaw that it is aware of.


    tim


    Thursday, January 4, 2018 2:16 PM
  • Hi Manoj Vishwakarma,

    >Anyone aware of mitigation options for Windows servers OS?

    Use these registry keys to enable the mitigations on server:

    To enable the mitigations

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    Please check the following article about mitigation options for Server OS:

    Windows Server guidance to protect against speculative execution side-channel vulnerabilities

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 5, 2018 4:21 AM
    Moderator
  • Also see the sticky note at the beginning of this forum - https://social.technet.microsoft.com/Forums/en-US/c1ccbea6-996a-435c-ad9c-86528202c5c0/mitigations-for-speculative-execution-sidechannel-vulnerabilities-in-cpu-microcode?forum=winserver8gen

    tim

    Friday, January 5, 2018 1:21 PM
  • The post Tim linked has links with Microsoft advice for hardware and software.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, January 5, 2018 2:55 PM
  • Hi! Is this registry change the fix for Server 2012 Standard?  I'm a little confused.  It sounds like Server 2012 R2 is automatically updated with KB4056898 but that same guidance says "Not Available" for Server 2012.  Do I need to make these registry changes manually for my Server 2012 installs?  Thanks in advance!  Link for guidance I was using is: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
    Saturday, January 6, 2018 5:22 AM
  • Reading through the https://social.technet.microsoft.com/Forums/en-US/c1ccbea6-996a-435c-ad9c-86528202c5c0/mitigations-for-speculative-execution-sidechannel-vulnerabilities-in-cpu-microcode?forum=winserver8gen article, you will find a link to an article specific to Windows Server 2012.  That article is here - https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution.  In there you will find a table that shows the patch is not available for Windows Server 2012.

    Windows Server-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update. The following updates are available:

    Operating system version

    Update KB

    Windows Server, version 1709 (Server Core Installation)

    4056892

    Windows Server 2016

    4056890

    Windows Server 2012 R2

    4056898

    Windows Server 2012

    Not available

    Windows Server 2008 R2

    4056897

    Windows Server 2008

    Not available


    tim


    Saturday, January 6, 2018 2:39 PM
  • But this security release  January 3, 2018—KB4056890 (OS Build 14393.2007) is not for windows server 2012.
    Monday, January 8, 2018 5:30 AM
  •   Correct. That is obvious - the list says Not available. What is the point of your post?


    Bill


    • Edited by Bill Grant Monday, January 8, 2018 6:24 AM
    Monday, January 8, 2018 6:22 AM
  • Hi Anne,

    Could you please confirm if these registry keys needs to be applied to servers irrespective of whether we use Hyper-v or Remote Desktop Services Hosts(RDSH) as suggested in the above article? Also should we apply these reg keys to both physicals and virtuals?

    Regards,

    Kanthi.

    Tuesday, January 9, 2018 5:10 PM
  • Hi Anne,

    Could you please confirm if these registry keys needs to be applied to servers irrespective of whether we use Hyper-v or Remote Desktop Services Hosts(RDSH) as suggested in the above article? Also should we apply these reg keys to both physicals and virtuals?

    Regards,

    Kanthi.

    Hi Kanthi.kota,

    The following steps are required to ensure that your virtual machines are protected:

    1. Update the host operating system.
    2. Ensure the virtualization host has been updated to firmware which contains updates for CVE-2017-5715.
    3. Ensure Hyper-V is configured to expose new processor capabilities to guest virtual machines. (Set registry keys on the Hyper V host)
    4. Update the guest operating system as required.
    5. Perform a cold boot of guest virtual machines.

    So, set the registry keys on the Hyper V host.

    Please check the following article for detailed information:

    https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 10, 2018 8:55 AM
    Moderator
  • Hi Manoj Vishwakarma,

    Just to check if the above replies could be of help, if yes, please mark useful reply as answer, if you have other concerns, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 10, 2018 8:57 AM
    Moderator
  • Hi Kanthi,

    Yes, as following guidance suggested, we need to use these registry keys to enable the mitigations on the Hyper-V server and RDSH Server.

    https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

    We only need to perform those change on Server (Physical and virtual), for client version, the Jan monthly update will enable mitigations.

    BTW, share another good article here FYI.

    https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown


    “Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”

    Wednesday, January 10, 2018 8:59 AM