Managing Windows Speculation Control Protections with PowerShell DSC
As part of their response to the Speculative Execution vulnerabilities, Spectre and Meltdown, Microsoft released updates for all supported systems. Microsoft made the decision to not enable these protections in Windows Server by default. It's up to you as the administrator to enable the protections.
Microsoft’s used the reg
command to make the registry changes. This tool is great on a single machine, but it doesn’t scale. You need to use a configuration management tool like PowerShell DSC to make the changes at scale.
These changes could be made using the registry DSC resource, but I wanted a more simplified configuration using a custom DSC resource. I looked, and couldn’t find a resource, so I created cSpeculationControlFixes
.
Managing the Protections
With the cSpeculationControlFix
resource, administrators can enable or disable the protections. You'll need to restart the system for the changes to take effect, cSpeculationControlFix
will notify the LCM if a reboot is required.
Configuration EnableSpeculationControl
{
Import-DscResource -Module cSpeculationControlFixes
cSpeculationControlFix enableSpeculationControlFix
{
Status = 'Enabled'
}
}
Spectre Variant 2
Microsoft now provides a mechanism for enabling and disabling the Spectre Variant 2 protections separately from the other protections. With the cSpectreVariant2
resource, an administrator can enable or disable just the Spectre Variant 2 protections. For this resource to work, you need to have the updates described in this knowledge base article. Once again, cSpectreVariant2
will notify the LCM if a reboot is required.
Configuration EnableSpectreVariant2
{
Import-DscResource -Module cSpeculationControlFixes
cSpectreVariant2 enableSpectreVariant2Fix
{
Status = 'Enabled'
}
}
Configuration DisableSpectreVariant2
{
Import-DscResource -Module cSpeculationControlFixes
cSpectreVariant2 enableSpectreVariant2Fix
{
Status = 'Disabled'
}
}
Anti-Virus Compatibility Flag
A massive issue with these updates is that Windows Update won't offer to install these updates unless your anti-virus product as created the appropriate compatibility flag. This issue is, what about those computers, mainly servers, that don’t have an anti-virus product installed? The truth is, these update, nor any further security updates will be available.
To combat this, the cSpeculationControlAVCompatibility
resource allows and administrator to enable this flag on systems that don’t have an anti-virus installed.
Configuration EnablecSpeculationControlAVCompatibility
{
Import-DscResource -Module cSpeculationControlFixes
cSpeculationControlAVCompatibility enablecSpeculationControlAVCompatibility
{
Status = 'Enabled'
}
}
Getting the Module
The easiest way to get cSpeculationControlFixes
is using the PowerShell Gallery, or from GitHub.
Installing the module from the gallery is as easy as:
PS> Install-Module -Name cSpeculationControlFixes
If you discover any issues, please report then via GitHub Issues.
Kieran Jacobsen