Managing Windows Speculation Control Protections with PowerShell DSC

As part of their response to the Speculative Execution vulnerabilities, Spectre and Meltdown, Microsoft released updates for all supported systems. Microsoft made the decision to not enable these protections in Windows Server by default. It's up to you as the administrator to enable the protections.

Microsoft’s used the reg command to make the registry changes. This tool is great on a single machine, but it doesn’t scale. You need to use a configuration management tool like PowerShell DSC to make the changes at scale.

These changes could be made using the registry DSC resource, but I wanted a more simplified configuration using a custom DSC resource. I looked, and couldn’t find a resource, so I created cSpeculationControlFixes.

Managing the Protections

With the cSpeculationControlFix resource, administrators can enable or disable the protections. You'll need to restart the system for the changes to take effect, cSpeculationControlFix will notify the LCM if a reboot is required.

Configuration EnableSpeculationControl
{
    Import-DscResource -Module cSpeculationControlFixes
    cSpeculationControlFix enableSpeculationControlFix
    {
        Status = 'Enabled'
    }
}

Spectre Variant 2

Microsoft now provides a mechanism for enabling and disabling the Spectre Variant 2 protections separately from the other protections. With the cSpectreVariant2 resource, an administrator can enable or disable just the Spectre Variant 2 protections. For this resource to work, you need to have the updates described in this knowledge base article. Once again, cSpectreVariant2 will notify the LCM if a reboot is required.

Configuration EnableSpectreVariant2
{
    Import-DscResource -Module cSpeculationControlFixes
    cSpectreVariant2 enableSpectreVariant2Fix
    {
        Status = 'Enabled'
    }
}

Configuration DisableSpectreVariant2
{
    Import-DscResource -Module cSpeculationControlFixes
    cSpectreVariant2 enableSpectreVariant2Fix
    {
        Status = 'Disabled'
    }
}

Anti-Virus Compatibility Flag

A massive issue with these updates is that Windows Update won't offer to install these updates unless your anti-virus product as created the appropriate compatibility flag. This issue is, what about those computers, mainly servers, that don’t have an anti-virus product installed? The truth is, these update, nor any further security updates will be available.

To combat this, the cSpeculationControlAVCompatibility resource allows and administrator to enable this flag on systems that don’t have an anti-virus installed.

Configuration EnablecSpeculationControlAVCompatibility
{
    Import-DscResource -Module cSpeculationControlFixes

    cSpeculationControlAVCompatibility enablecSpeculationControlAVCompatibility
    {
        Status = 'Enabled'
    }
}

Getting the Module

The easiest way to get cSpeculationControlFixes is using the PowerShell Gallery, or from GitHub.

Installing the module from the gallery is as easy as:

PS> Install-Module -Name cSpeculationControlFixes

If you discover any issues, please report then via GitHub Issues.

Kieran Jacobsen