Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.4 Star
(20)
70,007 times
Add to favorites
Security
9/5/2018
E-mail Twitter del.icio.us Digg Facebook
  • Server mitigation
    2 Posts | Last post January 08, 2018
    • As-per https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution, you need to set some registry values after installing the relevant Update KB. An example method of setting the registry values using PowerShell is below:
      
      If ((Get-CimInstance -ClassName Win32_OperatingSystem).Caption -like '*Server*') {
          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name 'FeatureSettingsOverride' -PropertyType DWORD -Value 0 -Force
          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name 'FeatureSettingsOverrideMask' -PropertyType DWORD -Value 3 -Force
          If (Test-Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization') { New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization' -Name 'MinVmVersionForCpuBasedMitigations' -PropertyType STRING -Value '1.0' -Force }
          Write-Host "Restart to apply changes..." -ForegroundColor Cyan
      }
      
    • BUT remember to validate that your antivirus is certified for the new patches.
      
      Otherwise, you are going to see a nasty BSOD (Blue Screen of Dead).
      
      See 
      
      https://answers.microsoft.com/en-us/windows/forum/windows_10-security/meltdown-and-spectre-vulnerabilities-intel-chip/ead3f25e-6c55-4359-9cd9-5be87cbe7b4f?tm=1515435354266
      
  • This covers 2 out 3 CVE. What about the third?
    1 Posts | Last post January 08, 2018
    • ADV180002 Advisory include 3 vulnerabilities:
      CVE-2017-5753 - Bounds check bypass
      CVE-2017-5715 - Branch target injection
      CVE-2017-5754 - Rogue data cache load
      
      CVE-2017-5715 and CVE-2017-5754 are check with this script, but what happen with CVE-2017-5753?
      
      Still in process?
  • EXE version of this script
    8 Posts | Last post January 08, 2018
    • I converted the module to a standard ps1 script then to an EXE using PS2EXE. Nothing fancy, but hopefully it helps people as it's simpler to run. Compiled with the -runtime20 option.
      
      https://1drv.ms/u/s!AvUMCaElfVkvmmz0hK1SRwHTLG21
      
    • New version including the multiple CPU fix
      
      https://1drv.ms/u/s!AvUMCaElfVkvmm8zssuJ8CijHw__
      
      
    • And a zipped version of the same script (usually easier to download)
      
      https://1drv.ms/u/s!AvUMCaElfVkvmnIkcJbDb8_kbBnO
    • Dear Andy, 
      
      Many thanks for the executable version - this is helpful for infrastructures that have older PS versions installed and is hard to update the WMF only to run this check.
      
      
    • Andy, thanks a bunch!
    • Thank you, I appreciate it!
    • Dear Andy, 
      
      Can you share the standard ps1 script file converted by you, I am not very familiar with the powershell syntax.I'd very appreciate it!
    • Hi _N0S, happy to help in a small way.
      
      This is a link to three versions of the EXE version of the script, compiled respectively for .NET versions 2.0, 3.0/.5 and 4.0/.5. It also contains the .ps1 script.
      
      https://1drv.ms/u/s!AvUMCaElfVkvmnQxwvdEfX7iKusg
      
      Folks having trouble with the module and PS 2.0 - you might find an EXE works for you.
      
      I'm not saying this is a better option than using modules, it's just an alternative approach and slightly more portable. You still need PS and .NET as-per PS2EXE documentation as it's more of a wrapper than a true standalone EXE.
  • Zero byte
    1 Posts | Last post January 08, 2018
    • I too am getting the zero byte file. Could you please update when resolution is found?
  • Downloads a 0 byte zip
    2 Posts | Last post January 08, 2018
    • I tried two different ip sources and both resulted in a 0 byte zip file being downloaded.
    • I tried both Chrome and IE 11 and I still get the 0 byte file...
  • where is detailed explanation of the script output
    2 Posts | Last post January 08, 2018
    • Where can we find a detailed explanation of the script output?
      
      For example, what does "Hardware support for branch target injection mitigation is present" actually mean?
      
      
    • Hi, have a look here for more details on each of the CVEs and which variants they correspond to: https://www.kb.cert.org/vuls/id/584653
  • How to Run this on a List of machines and export results
    3 Posts | Last post January 08, 2018
    • That's for the base script, it works great on a localhost and I have managed to run on a remote machine:
      
      Import-Module .\SpeculationControl.psm1 
      $computers = Get-Content -path "C:\Temp\SpeculationControl\Computers.txt"
      
      Invoke-Command -ComputerName $Computers ${function:Get-SpeculationControlSettings} | export-csv .\Results.csv
      
      The results in Results.csv only brings back one machine's results. This machine is not at the top or bottom of the Computers.txt.. but in the middle. 
      
      Powershell in ISE Console will show results:
      
      Speculation control settings for CVE-2017-5715 [branch target injection]
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is enabled: False
      
      Speculation control settings for CVE-2017-5754 [rogue data cache load]
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: False
      Windows OS support for kernel VA shadow is enabled: False
      
      etc
      
      Any help on this would be great to collect the above and put into once CSV woul be greatly appreciated, as we have some 700 servers in our fleet and running on each will be very time consuming.
      
      Cheers
      
    • This article should help you with remote execution and collecting results to CSV
      
      https://blogs.technet.microsoft.com/ralphkyttle/2018/01/05/verifying-spectre-meltdown-protections-remotely/
    • Mr Duke - I turned the Get-SpeculationControlSetting function into a scriptblock, commenting out the Write-Host lines and calling itself at the end. Then process it with the following...
      
      $cred = Get-Credential "admin@domain.com" #Edit as required
      $results = @()
      $computers = Get-ADComputer -Filter {Enabled -eq $True} -Properties OperatingSystem | Where-Object OperatingSystem -like "*server*" | Select Name #Edit Where filter or alternatively use Get-Content to read txt file
      [int]$current = 1
      [int]$total = $computers.count
      $computers | ForEach {
          Write-Host "[$current/$total]"$_.Name -ForegroundColor Cyan
          If (Test-Connection $_.Name -Count 1 -Quiet) {
              $results += Invoke-Command -ComputerName $_.Name -ScriptBlock $scriptblock -Credential $cred
          }
          Else {
              Write-Host "Error connecting to"$_.Name -ForegroundColor Red
          }
          $current++
      }
      $timestamp = (Get-Date -Format ddMMyyyy_hhmmss)
      $results | Export-Csv .\SpeculationControlSettings_$timestamp.csv -NoTypeInformation
      
      Doesn't have extensive error handling and could be prettier, but it works satisfactorily for me. Hope it helps...
  • Says script is signed by an untrusted publisher
    1 Posts | Last post January 07, 2018
    • On Windows 10 1607 (build 14393), I get the following when I try to import-module .\SpeculationControl.psd1:
      
      File C:\dl\SpeculationControl\SpeculationControl.psm1 is published by CN=Microsoft Corporation, OU=MOPR, O=Microsoft
      Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
      [V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"):
      
      
      Why is Microsoft not a trusted publisher? How can I verify that this script is authentic?
      
      
      
  • Download failed, empty file
    2 Posts | Last post January 07, 2018
    • I tried downloading with Firefox and Chrome but both gives empty files
      
      https://i.imgur.com/lcQUiGh.png
    • How weird, it did work when i tried that with dusty IE11 ???
      Could you fix this MS?
  • [bug] script fails if multiple CPUs are present
    1 Posts | Last post January 06, 2018
    • "Get-SpeculationControlSettings" fails if multiple CPUs are present on the system. Quick workaround: Change:
      line: 122
      from: $cpu = Get-WmiObject Win32_Processor
      to: $cpu = Get-WmiObject Win32_Processor | select -first 1
51 - 60 of 63 Items