Side-Channel Attack Mitigation via GPO (Group Policy Objects)

What is the side-channel attack we need to be aware of?

The main side-channel attack we refer to in IT are more specifically the Spectre and Meltdown vulnerabilities. Both of these leveraged a cache-based vulnerability in modern-day CPU’s. There have been numerous vulnerabilities linked to the same core-issue but they are treated as individual CVE’s and as such have their own fixes.

Which Operating Systems are affected by the speculative execution side-channel attack?

Since these vulnerabilities are linked to the CPU, you can pretty much assume that every OS will be vulnerable. However, its important to note that Server 2019 has some of the registry keys “switched on” by default. If you are running any OS that’s older, you will need to make the changes I am recommending below.

How can we defend against it?

If you are using either an AMD, Intel, or ARM processor it will differ how you will protect yourself. To summarize it though, you generally need to ensure that the latest firmware has been installed on your motherboard, your operating system should be patched with the latest security updates and optionally some manufacturers have released specific fixes. 

In this blog post I want to consolidate all that info and make it easy to patch in a larger environment without the manual hassle.

There is some additional work for an Intel CPU with Hyper-Threading (HT) enabled or not. If you have Hyper-Threading enabled, there is a different registry key when compared to a Intel CPU without HT on. 

Intel Hyper-Threading Related Vulnerabilities

L1TF and MDS vulnerabilities exist because of Hyper-Threading being present. To fully mitigate these attack vectors you should disable Hyper-Threading. If you dont want to do that, you need to then use the registry keys with Hyper-threading enabled specifically.

If Hyper-threading is enabled, its better to disable it. You can check by comparing these two values – NumberofLogicalProcesses and NumberofCores. If these values are different then Hyper-Threading is enabled.

PS C:\WINDOWS\system32> Get-WMIObject win32_processor | select -ExpandProperty Numberoflogicalprocessors
4
PS C:\WINDOWS\system32> Get-WMIObject win32_processor | select -ExpandProperty Numberofcores
2


Will patching the vulnerability affect my system performance?

Yes! It definitely will. Most manufacturers have given rough estimates of up to 20-30% degradation in performance. This varies based on every model and CPU – you should ideally implement the fixes first by hand, test the fix for a while, and then decide if you will roll it out to your organization. 

What official resources can I get information for these from?

I used the following guidance from Microsoft for these, and treated Clients and Server versions differently. I will be mainly focused on Server versions however.

Windows Server Speculative Execution Side-channel Vulnerabilities

Windows Clients Speculative Execution Side-channel Vulnerabilities

How do I know if I’m protected or not?

If you are using Server 2016 or have Windows Management Framework (WMF) 5.0+ installed you can use the following script;

Get-SpeculationControlSettings.ps1

Install-Module SpeculationControl
# Run the PowerShell module to validate the protections are enabled


# Save the current execution policy so it can be reset
$SaveExecutionPolicy = Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned -Scope Currentuser


Import-Module SpeculationControl
Get-SpeculationControlSettings


# Reset the execution policy to the original state
Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser


If you are using an older version of Windows Management Framework (WMF) please do the following instead;

  1. Install the PowerShell Module from Technet ScriptCenter:
  2. Go to https://aka.ms/SpeculationControlPS
  3. Download SpeculationControl.zip to a local folder.
  4. Extract the contents to a local folder, for example C:\ADV180002
  5. Run the PowerShell module to verify that protections are enabled:
    Start PowerShell, then (by using the previous example) copy and run the following commands:
    PS> # Save the current execution policy so it can be reset
    PS> $SaveExecutionPolicy = Get-ExecutionPolicy
    PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser


    PS> CD C:\ADV180002\SpeculationControl
    PS> Import-Module .\SpeculationControl.psd1

    PS> Get-SpeculationControlSettings

    PS> # Reset the execution policy to the original state
    PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser


What Registry Keys are important for an Intel or AMD Processor?

There are some very specific keys that are unique to each processor type, however if you go through all the documentation – you will find that there is one set of registry key values that can be used for both CPU manufacturers, and they will also enable “all” the mitigation’s possible.

Preparing the WMI Queries to Filter Intel, or AMD Processors

AMD Processors

SELECT * FROM Win32_Processor WHERE Manufacturer like "AuthenticAMD"

WMI Filter for AMD CPUs in GPMC.msc

Intel Processors

SELECT * FROM Win32_Processor WHERE Manufacturer like "GenuineIntel"

WMI Filter for Intel CPUs in GPMC.msc

What registry keys do you need to push to each Processor type?

There are 2 registry keys that need to be altered, they are the following regkeys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
“FeatureSettings” and “FeatureSettingsOverride” DWORD Values

Pushing the Registry Keys via GPO

Create the Group Policies to push the Registry Keys. Ideally you should create 2 or 3 Group Policies depending whether or not you want to target specific processor types, or optionally if you are using Hyper-Threading Enabled or Disabled on your Intel Processors.
If you are pushing 1 GPO to cover all your machines, please be aware this could potentially cause unwanted behaviour or severe degradation in service then you need to revert the changes.

General settings in registry keys GPO
Common settings in registry keys GPO
Resulting GPO settings in GPMC for the registry keys GPO

Intel (Hyper-Threading On) and AMD CPU’s

FeatureSettingsOverride Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverride
  • Value type: REG_DWORD
  • Value data: 72 (decimal) or 0x48 (hex)

FeatureSettingsOverrideMask Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverrideMask
  • Value type: REG_DWORD
  • Value data: 3 (decimal) or 0x03 (hex)

Adding the settings to test manually

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


Intel CPU with Hyper-Threading Off

FeatureSettingsOverride Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverride
  • Value type: REG_DWORD
  • Value data: 8264(decimal) or 0x2048 (hex)

FeatureSettingsOverrideMask Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverrideMask
  • Value type: REG_DWORD
  • Value data: 3 (decimal) or 0x03 (hex)

Adding the settings to test manually

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Hyper-V Server

FeatureSettingsOverride Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverride
  • Value type: REG_DWORD
  • Value data: 0(decimal) or 0x0 (hex)

FeatureSettingsOverrideMask Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverrideMask
  • Value type: REG_DWORD
  • Value data: 3 (decimal) or 0x03 (hex)

MinVmVersionForCpuBasedMitigations Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
  • Value name: MinVmVersionForCpuBasedMitigations
  • Value type: REG_SZ
  • Value data: 1.0

Adding the settings to test manually

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

If this is a Hyper-V host and the firmware updates have been applied: Fully shut down all the guest Virtual Machines. This enables the firmware-related mitigation to be applied on the host before the VMs are started. Therefore, the VMs are also updated when they’re restarted.

Disabling the Side-Channel Attack Mitigations

If you see that the side-channel mitigations have affected the performance of your servers too severely, or you are seeing strange behaviour – you can either delete the regkeys that were added, or alternatively you can push a new value in the “FeatureSettingsOverride” which will undo the fix.

FeatureSettingsOverride Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverride
  • Value type: REG_DWORD
  • Value data: 3(decimal) or 0x03 (hex)

FeatureSettingsOverrideMask Registry Key

  • Hive: HKEY_LOCAL_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  • Value name: FeatureSettingsOverrideMask
  • Value type: REG_DWORD
  • Value data: 3 (decimal) or 0x03 (hex)

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Restart the computer for the changes to take effect.

Verifying that your changes are applied correctly

To verify the Group Policy has successfully been pushed, you can confirm by checking the following regkey path;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management for the values of “FeatureSettingsOverride” and “FeatureSettingsOverrideMask”.

Registry keys after the GPO is pushed in regedit

To quickly retrieve these from Powershell use the following command;
PS C:\WINDOWS\system32> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" | select FeatureSettingsOverride, FeatureSettingsOverrideMask

Output of the Powershell query for the registry keys

To verify that the actual settings have taken affect and are protecting the client, you will have to rerun the Side-Channel Powershell script above and confirm the settings are applied correctly for your CPU type. To understand the output of the script please refer to the link in the script itself.

PS C:\Windows\system32> C:\Scripts\SideChannel.ps1
For more information about the output below, please refer to https://support.microsoft.com/help/4074629

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID performance optimization is enabled: True [not required for security]

Speculation control settings for CVE-2018-3639 [speculative store bypass]

Hardware is vulnerable to speculative store bypass: True
Hardware support for speculative store bypass disable is present: False
Windows OS support for speculative store bypass disable is present: True
Windows OS support for speculative store bypass disable is enabled system-wide: False

Speculation control settings for CVE-2018-3620 [L1 terminal fault]

Hardware is vulnerable to L1 terminal fault: True
Windows OS support for L1 terminal fault mitigation is present: True
Windows OS support for L1 terminal fault mitigation is enabled: True

Speculation control settings for MDS [microarchitectural data sampling]

Windows OS support for MDS mitigation is present: True
Hardware is vulnerable to MDS: True
Windows OS support for MDS mitigation is enabled: True

How to revert the settings?

Remove the registry keys manually, or alternatively just unlink the GPO to the OU where the client is and verify that the registry keys do not exist and reboot the system. The GPO will not tattoo the registry keys if you put the registry keys in replace mode and select “Remove this item when it no longer applies” under the common tab for the registry key.

If the registry keys are still present you will need to ensure that the GPO is not still being applied by checking your group policy results and unlinking any GPOs that may persist, or alternatively it may just be that replication needs to take place to your logonserver DC.

Alternatively there are steps provided in the resources below which still keep the registry keys intact but just revert the mitigation settings.

Resources:

https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell