Introduction

You are probably aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Microsoft has published an article which describes what actions need to be performed to protect your servers. At a high level the actions are as follows:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

In this article, we will discuss step no 2: Make necessary configuration changes to enable protection.

However, before going to the next section we strongly recommend to go through the Microsoft article carefully to understand the requirement.

Enabling protection on servers

Microsoft suggested below registry changes to enable or disable the protection.

To enable the mitigations

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

To disable the mitigations

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

 reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

 

However, how can we create or update these registry values quickly on hundreds (or probably thousands) of servers in our environment?

The answer is Group Policy!

Warning: Before implementing this policy for the first time, backup your registry and test with a small number of systems.

Use Group Policy to create/update registry values

1. Create a new group policy

Ex: Test Registry Edit.

2. Create registry item

Navigate to Computer Configuration > Preferences > Windows Settings > Registry. 

Create a new Registry Item.

 

3. Locate the key path for memory management

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management."

 

4. Value Name: FeatureSettingsOverride    

Action: Create Hive: HKEY_LOCAL_MACHINE.      

 

key path : "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management."

Hive: HKEY_LOCAL_MACHINE. Value Name: FeatureSettingsOverrideMask Value Type: REG_DWORD Value Data:  0

Here also you can enable item level filtering based on your requirement.

 

 So now we have created below two registry values on the GPO.

 

5. Link the GPO to appropriate OUs

Link the GPO to appropriate OUs, run GPUPDATE / FORCE and the keys should reflect in the registry.

Please also validate that keys are not reflecting for those systems which you have filtered out using item level filtering.

 

Summary

In this article, we have discussed how to quickly change the registry settings of multiple servers with the help of Group Policy. We have discussed this in the context of the ongoing speculated vulnerability of Intel Chipsets, but you can use the same method for any other registry change.

References