Windows client guidance for IT Pros to protect against speculative

Page 2 of 3 FirstFirst 123 LastLast
  1.   My ComputerSystem Spec

  2. Cliff S's Avatar
    Posts : 24,964
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       #11
      My ComputersSystem Spec

  3. Polo6RGTI's Avatar
    Posts : 690
    Windows 10 Pro WS x64 18362.207
       #12

    Cliff S said: View Post
    Nice one Polo
    Thanks Cliff
      My ComputerSystem Spec

  4. Cliff S's Avatar
    Posts : 24,964
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       #13

    Polo6RGTI said: View Post
    Thanks Cliff
    You're welcome.
    I've been listening to a lot of Die Antwoord this week and the meme I made came to mind right off.
    (I can't get enough of Yolandi's voice, it's so sweet)
      My ComputersSystem Spec


  5. Posts : 4
    Windows 10 1809
       #14

    So I applied the "big one" with all the mitigations including disabling HT and I have to say, I hardly notice a performance difference with HT disabled. But what I do notice is that lower priority processes don't eat into the responsiveness of my laptop any more, which is just a 2 core CPU. With HT, priorities didn't matter since windows would just put a low prio thread running on the other logical cpu pertaining to the physical core and cause contention. I'll be leaving HT off
      My ComputerSystem Spec

  6.    #15

    I'm uncertain what to do here. I thought I had enabled most of these security options. Under the registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, I have the following settings for an Intel CPU:

    FeatureSettingsOverride = 400 hex
    FeatureSettingsOverrideMask = 400 hex

    My security report is below. Is there anything to fix?

    Speculation control settings for CVE-2017-5715 [branch target injection]

    Hardware support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is present: True
    Windows OS support for branch target injection mitigation is enabled: True

    Speculation control settings for CVE-2017-5754 [rogue data cache load]

    Hardware requires kernel VA shadowing: True
    Windows OS support for kernel VA shadow is present: True
    Windows OS support for kernel VA shadow is enabled: True
    Windows OS support for PCID performance optimization is enabled: False [not required for security]

    Speculation control settings for CVE-2018-3639 [speculative store bypass]

    Hardware is vulnerable to speculative store bypass: True
    Hardware support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is present: True
    Windows OS support for speculative store bypass disable is enabled system-wide: False

    Speculation control settings for CVE-2018-3620 [L1 terminal fault]

    Hardware is vulnerable to L1 terminal fault: True
    Windows OS support for L1 terminal fault mitigation is present: True
    Windows OS support for L1 terminal fault mitigation is enabled: True

    Speculation control settings for MDS [microarchitectural data sampling]

    Windows OS support for MDS mitigation is present: True
    Hardware is vulnerable to MDS: True
    Windows OS support for MDS mitigation is enabled: False

    Suggested actions
    * Follow the guidance for enabling Windows Client support for speculation control mitigations described in https://support.microsoft.com/help/4073119

    BTIHardwarePresent : True
    BTIWindowsSupportPresent : True
    BTIWindowsSupportEnabled : True
    BTIDisabledBySystemPolicy : False
    BTIDisabledByNoHardwareSupport : False
    BTIKernelRetpolineEnabled : True
    BTIKernelImportOptimizationEnabled : True
    KVAShadowRequired : True
    KVAShadowWindowsSupportPresent : True
    KVAShadowWindowsSupportEnabled : True
    KVAShadowPcidEnabled : False
    SSBDWindowsSupportPresent : True
    SSBDHardwareVulnerable : True
    SSBDHardwarePresent : True
    SSBDWindowsSupportEnabledSystemWide : False
    L1TFHardwareVulnerable : True
    L1TFWindowsSupportPresent : True
    L1TFWindowsSupportEnabled : True
    L1TFInvalidPteBit : 45
    L1DFlushSupported : True
    MDSWindowsSupportPresent : True
    MDSHardwareVulnerable : True
    MDSWindowsSupportEnabled : False
      My ComputersSystem Spec

  7.    #16

    Steve C said: View Post
    I'm uncertain what to do here. I thought I had enabled most of these security options. Under the registry key Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, I have the following settings for an Intel CPU:

    FeatureSettingsOverride = 400 hex
    FeatureSettingsOverrideMask = 400 hex

    My security report is below. Is there anything to fix?

    It looks normal.

    MDS mitigation requires a new microcode update from Intel, which Microsoft is currently only providing for Windows 10 v1903 and Enterprise users of some older versions of Windows 10.

    System-wide mitigation against speculative store bypass (SSB) is disabled by default on most computers.

    And I think PCID performance optimization is only for Haswell and newer processors.
    Last edited by Ground Sloth; 27 May 2019 at 09:52.
      My ComputerSystem Spec



  8. Posts : 4
    Windows 10 1809
       #17

    Just out of curiosity, has anyone found a source that says which features each of the "Features Settings" bits represents?
      My ComputerSystem Spec

  9.    #18

    QMNXUK said: View Post
    Just out of curiosity, has anyone found a source that says which features each of the "Features Settings" bits represents?
    ; FeatureSettingsOverride values:
    ; 400+ =Retpoline enabled (Intel only; Broadwell and earlier) +bitwise OR with values 8 and lower
    ; 72 = Enable All (Speculative Store Bypass together with Spectre Variant 2)(AMD)
    ; 64 = Enable Spectre Variant 2 (AMD)
    ; 8 = Enable All (Speculative Store Bypass together with Spectre Variant 2 and Meltdown)
    ; 3 = Disable both Spectre Variant 2 and Meltdown
    ; 2 = Disable Meltdown (Kernel VA Shadow)
    ; 1 = Disable Spectre Variant 2 (Branch Target Injection)
    ; 0 = Enable Spectre Variant 2 and Meltdown
    ;
    ; FeatureSettingsOverrideMask value is always 3 (unless Retpoline enabled then is 400)
      My ComputerSystem Spec

  10.    #19

    Rebit said: View Post
    ; FeatureSettingsOverride values:
    ; 400+ =Retpoline enabled (Intel only; Broadwell and earlier) +bitwise OR with values 8 and lower
    ; 72 = Enable All (Speculative Store Bypass together with Spectre Variant 2)(AMD)
    ; 64 = Enable Spectre Variant 2 (AMD)
    ; 8 = Enable All (Speculative Store Bypass together with Spectre Variant 2 and Meltdown)
    ; 3 = Disable both Spectre Variant 2 and Meltdown
    ; 2 = Disable Meltdown (Kernel VA Shadow)
    ; 1 = Disable Spectre Variant 2 (Branch Target Injection)
    ; 0 = Enable Spectre Variant 2 and Meltdown
    ;
    ; FeatureSettingsOverrideMask value is always 3 (unless Retpoline enabled then is 400)
    Just to be clear - what is the option to enable Retpoline plus all the others for an Intel CPU?
      My ComputersSystem Spec


 
Page 2 of 3 FirstFirst 123 LastLast

Related Threads
Read more: https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe See also: Understanding performance impact of Spectre and Meltdown mitigations - Windows 10 Forums Protect...
Source: https://support.microsoft.com/en-us/help/4073065/surface-guidance-to-protect-against-speculative-execution-side-channel See also: Surface devices and the new speculative execution side-channel vulnerabilities (May 2018) Surface
Source: https://support.microsoft.com/en-us/help/4073418/azure-stack-guidance-protect-against-speculative-execution-side-channe
Source: https://support.microsoft.com/en-us/help/4073225/guidance-for-sql-server
Source: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 13:01.
Find Us