Welcome back from a long holiday, and to one of your first challenges for 2018! Unless you're still under your holiday rock, you've probably become aware of a new publicly disclosed class of vulnerabilities which have been named "Speculative execution side-channel attacks" which affect many modern processors and operating systems including Intel, AMD, and ARM. The latest guidance from the ConfigMgr Product Group is at https://blogs.technet.microsoft.com/configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-execution-side-channel-vulnerabilities/.
Within the support articles for both servers and workstations, you'll notice a section titled "Verify that protections are enabled". In this section, there is instructions to launch PowerShell and run a "Install-Module SpeculationControl" and then execute the "Get-SpeculationControlSettings" cmdlet.
If you manually execute this cmdlet on an unprotected machine, you'll see output that resembles the following:
However, if you execute the same cmdlet on a fully protected machine, you'll see output that resembles the following:
As a System Center Configuration Manager administrator, your upper management is probably already asking you to determine who's vulnerable and who's not. Unfortunately, running this cmdlet on each endpoint is not going to be feasible for most enterprises with more than 25 endpoints, aside possibly using the new "Run PowerShell script" feature introduced in 1706 (which is really useful btw). Also, applying the cumulative January security updates will only partially protect your machines, so the need to run the cmdlet on a continual basis on all endpoints becomes an even bigger need and challenge. There are hardware level firmware updates which must be applied which are provided by each Vendor/OEM in addition to the OS updates, so getting to a fully patched state and checking all machines can quickly become overwhelming in a large environment.
The good news is, one of our most top-notch Microsoft PFEs, Ken Wygant, led a team of us to turn this module and cmdlet into Configuration Manager Compliance Items and Baseline.
If you're interested in deploying this Compliance Baseline, you can download the latest version here https://1drv.ms/u/s!AjWJfSOoWmkYuaRb-ha64Ti15bPaGA
Import this new baseline into your ConfigMgr hierarchy as a new Compliance Baseline and you'll see multiple Compliance Items also get created – one for each of the checks accomplished by the Get-SpeculationControlSettings cmdlet. Deploy this new baseline out to a collection of test workstations and servers to thoroughly test it before deploying to the rest of your environment.
Note:
Within the server support article, there is a section that states "Your server is at increased risk if it is in one of the following categories"
- Hyper-V hosts
- Remote Desktop Services (RDS) hosts
- For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.
Within the baseline, we created the registry remediations for the first two scenarios (Hyper-V and RDS hosts) to automatically adjust the values beneath the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionVirtualization registry keys as directed by the support articles for server OSes running these services. Unfortunately, there is no known programmatic way to check for the third scenario, so you'll have to manually find and adjust any servers that happen to fit that scenario. If you enable the Compliance Baseline deployment to "Remediate noncompliant rules when supported" it will automatically add the necessary registry values to Hyper-V and Remote Desktop Services hosts.
When importing the baseline, you'll be notified that the publisher could not be verified, and then assuming you're OK with that, you'll see the following Baseline and CIs successfully imported:
As the Get-SpeculationControlSettings cmdlet is occasionally being improved upon (it's on its 3rd revision since the initial publishing of this blog post), we are also working to update the CIs in the event there are any code changes which might affect the functionality of the CIs. Therefore, if this cmdlet is updated again in the future, we will provide updates to this blog post with each update to the .cab which can be re-downloaded and re-imported as necessary.
Additional articles regarding the Speculation Control vulnerability
Security Advisory 180002 - Vulnerability in CPU Microcode Could Allow Information Disclosure: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
KB 4073229 - Protect your device against the recent chip-related security vulnerability: https://support.microsoft.com/help/4073229
KB 4073119 - Windows Client Guidance for IT Pros to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4073119
KB 4072698 - Windows Server Guidance to protect against the speculative execution side-channel vulnerabilities: https://support.microsoft.com/help/4072698
KB 4072699 - Important Information regarding the Windows Security Updates Released January 2018 (A/V): https://support.microsoft.com/help/4072699
KB 4073235 - Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities: https://support.microsoft.com/help/4073235
KB 4073065 - Surface Guidance for Customers and Partners "Protect your devices against the recent chip-related security vulnerability": https://support.microsoft.com/help/4073065
KB 4073225 - Guide to protect SQL Server against speculative execution side-channel vulnerabilities
https://support.microsoft.com/en-gb/help/4073225/guidance-for-sql-server
Windows Client Updates
|
Product Name |
KB number |
Download Link |
|
Windows 10 for 32-bit Systems |
||
|
Windows 10 for x64-based Systems |
||
|
Windows 10 Version 1511 for 32-bit Systems |
||
|
Windows 10 Version 1511 for x64-based Systems |
||
|
Windows 10 Version 1607 for 32-bit Systems |
||
|
Windows 10 Version 1607 for x64-based Systems |
||
|
Windows 10 Version 1703 for 32-bit Systems |
||
|
Windows 10 Version 1703 for x64-based Systems |
||
|
Windows 10 Version 1709 for 32-bit Systems |
||
|
Windows 7 for 32-bit Systems Service Pack 1 |
||
|
Windows 7 for x64-based Systems Service Pack 1 |
||
|
Windows 8.1 for 32-bit systems |
||
|
Windows 8.1 for x64-based systems |
Windows Server Updates
|
Product Name |
KB number |
Download Link |
|
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 |
||
|
Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
||
|
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
||
|
Windows Server 2012 |
||
|
Windows Server 2012 (Server Core installation) |
||
|
Windows Server 2012 R2 |
||
|
Windows Server 2012 R2 (Server Core installation) |
||
|
Windows Server 2016 |
||
|
Windows Server 2016 (Server Core installation) |
||
|
Windows Server, version 1709 (Server Core Installation) |
Microsoft SQL
|
Product Name |
KB number |
Download Link |
|
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU) |
||
|
Microsoft SQL Server 2017 for x64-based Systems |
||
|
Microsoft SQL Server 2017 for x64-based Systems (CU) |