Tag: ARM

Last updated by at .

Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown & Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



AzureStack Admin Portal

Microsoft Azure Stack – Azure Extension in your Datacenter

A couple of weeks ago, I had the chance to attend the Microsoft Azure Certified for Hybrid Cloud Airlift in Bellevue WA, which is close to the Microsoft campus in Redmond. I had the chance to spend the week there and talk with the Microsoft PG about different Azure Stack scenarios. Most of the discussions and presentations are under NDA, but there are a few things I can share, since they are publicly announced. I prepared this blog post already a couple of months ago, when I was talking to a lot of different customers about Azure Stack, and since then Microsoft also shared some new information about the release of Azure Stack Technical Preview 3.

The Azure Stack Announcement

Azure vs Azure Stack

Microsoft announced Azure Stack at Microsoft Ignite in May 2015. Back at this time Microsoft did only mention about the vision of Azure Stack and that Azure Stack will bring cloud consistency between the Microsoft Azure Public Cloud and your Private Cloud. But Microsoft did not really announce exactly what Azure Stack will be and how it will be implemented in your Datacenter.

During the Microsoft World Wide Partner Conference (WPC 2016), Microsoft announced more information about the availability of Azure Stack. For more information, you can read the Microsoft blog posts, but I tried to summarize the most important parts.

Building a true Hybrid Cloud and Consistency with Microsoft Azure

Azure Stack

This is probably the most important part about Azure Stack today. Microsoft Azure Stack will bring Azure consistency between the Microsoft Azure Public Cloud and your Private Cloud or your Hosters Service Provider Cloud using the Azure Resource Manager. So you will be able to not only operate an Azure-like environment, like you could with Windows Azure Pack and System Center, you now get real consistency between Azure and Azure Stack. You not only get the exact look and feel from the Microsoft Azure Public Cloud, you also can use the same Azure Resource Templates and deployment methods as you can in the Public Cloud. This allows customers to really operate in a Hybrid Cloud environment, between the Microsoft Public Cloud, their own Private Cloud and also local Service Provider Clouds.

Bring the agility and fast-paced innovation of cloud computing to your on-premises environment with Azure Stack. This extension of Azure allows you to modernize your applications across hybrid cloud environments, balancing flexibility and control. Plus, developers can build applications using a consistent set of Azure services and DevOps processes and tools, then collaborate with operations to deploy to the location that best meets your business, technical, and regulatory requirements. Pre-built solutions from the Azure Marketplace, including open source tools and technologies, allow developers to speed up new cloud application development.

The Integrated System Approach

Azure Stack Integrated System

(picture by Microsoft)

Microsoft announced that Azure Stack will be available as an appliance from different hardware vendors in Mid 2017. The confirmed hardware providers delivering Azure Stack Appliance at this point in time will be: Dell EMC, HPE and Lenovo and later in 2017 we will also see an appliance from Cisco, Huawei and Avanade.

The big difference here is that Microsoft delivers the Azure Stack platform first in an appliance way, which is really different from the way they delivered Windows Azure Pack. Windows Azure Pack was based on System Center and Windows Server and every customer could design his own environment based on their needs.

This was great, but also had some huge challenges for customers. Clouds needed different designs, this ended up in very complex design workshops where we basically discussed the customer solutions. The installation and configuration of a Windows Azure Pack platform was also very complex and a lot of work which needed a lot of resources, knowledge and of course a lot of project costs. Before customers could start saving money, they had to invest money to get things up and running. Of course, system integrators like itnetX and others, built automation to spin up clouds based on Windows Azure Pack, but still the investment needed to be done.

The use of an appliance approach not only helps to spin up clouds faster, but also build environments on tested hardware, firmware and drivers. Another point here which makes a great case for an appliance solution, are management and operations. Management and operation of a cloud-like environment is not easy, doesn’t matter what software you are using. Keeping the platform stable, maintained and operational will end up in a lot of work, especially if every cloud looks different. The last thing I want to mention here is upgrading, if you want real Azure consistency, you need to keep up with the ultra-fast pace of the Azure Public Cloud, which is basically impossible or extremely expensive. An integrated system scenario can really help you keep things up-to-date, since updates and upgrades can be pre-tested before they are released for you to deploy. This will help you save a huge amount of testing since every environment looks the same.

Operating Azure Stack

Azure Stack Administration and Operation

As already mentioned, Azure Stack will be delivered as an integrated system. OEMs, will help you to setup and install your Azure Stack appliance in your datacenter, but they will not fully manage the Azure Stack environment. You will need to have some Cloud Operator managing and operating your Azure Stack. With this all the host will be sealed and administrators do not have access to the hosts or Hyper-V Manager or Failover Cluster Manager to mange the systems. Instead, Administrators or Cloud Operators will manage the system for a management portal.

Azure Stack Platform

Since this is an integrated system, you don’t even need to care what it is running in the background. But still for a lot of us it is still very interesting to see how Azure Stack is built. In the back Azure Stack runs on “common” rack mount servers from HPE, Dell, Lenovo and Cisco, for HPE this is the DL380 Gen9. From the software stack it is running Windows Server 2016, and the Software Define Datacenter features such as Storage Spaces Direct, the new Windows Server 2016 Software-Defined Networking Stack an Hyper-V. In the release version of Azure Stack we will see a Hyper-Converged Storage Spaces Direct architecture starting from 4 nodes. On top of this Microsoft used code from Azure to bring the Azure Resource Manager, Azure Resource Providers and the Azure Portal to the Azure Stack.

Azure Stack POC – Microsoft Azure Stack Development Kit

Azure Stack Development Kit

Very early in the development process of Azure Stack, Microsoft releases Technical Previews to customers, so they could test Azure Stack on one node deployments. This is called the Azure Stack POC and you can download it today on a single physical server, and it was only designed for non-productive, non-HA environments. Microsoft officially announced that they will rename the Azure Stack POC to Azure Stack Development Kit after the General Availability of Azure Stack Mid 2017. This is really a great solution to quickly spin up a test environment of Azure Stack without having to invest in hardware.

Azure Marketplace Syndication

Azure Stack Marketplace Syndication

You will be able to create your own Marketplace items in Azure Stack, building your own templates and images and offer them to your customers. One of the greatest editions Microsoft made in the Azure Stack Technical Preview 3 is the Azure Marketplace Syndication. This allows you to get Marketplace items from Azure and offer them in your Azure Stack offering to your customers. With that you don’t need to build all Marketplace items by yourself.

Azure Stack Identity Management

Azure Stack has to be integrated into your datacenter. In terms of Identity, Microsoft allows you to use two ways to integrate. First, and from my site the preferred option, is Azure AD (AAD) which allows you to integrate with an existing Azure Active Directory. Azure AD can be synced and connected with your on-premise Active Directory and this will allow you to login to Azure as well as Azure Stack. The other option Microsoft is offering is using ADFS to bring identities to your Azure Stack.

The Azure Stack Business Cases

Since Azure Stack is consistent with Microsoft Azure, the question comes up, why are we not just using Azure. There are many good reasons to use Azure, but there are also some challenges with that. Azure Stack can make sense in a couple of scenarios.

  • Data Sovereignty – In some cases data cannot be stored outside of a specific country. With Azure Stack, customers have the option to deploy in even their own datacenter or on a service provider within the same country.
  • Latency – Even Microsoft offers a solution to reduce network latency to Azure, with using Azure Express Route, in some scenarios latency is still a big issue. With Azure Stack can customers place Azure very close to the location where resources are accessed from.
  • Disconnected Scenarios – In some scenarios you really want to benefit form the consistent deployment model, and for example use Azure Resource Manager (ARM), but not everywhere on earth do you have access to Azure or sometimes you have a very bad connection. Think about cruise ships or other scenarios where you need to run IT infrastructure but you are not able to connect to Azure.
  • Private Instance of Azure – For some companies shared infrastructures can be challenging, even security standards in Azure are extremely high, it is not always an option. With Azure Stack, companies can basically spin up their completely own instance of Azure.
  • Differentiation – Service Providers or even Enterprise companies cannot only use the Azure Marketplace, but they can also build their own solutions for the Azure Stack and make them available to their customers.

Pricing and Licensing

As mentioned Microsoft will offer Azure Stack from 5 different OEMs. HPE, Dell and Lenovo will deliver a solution at Azure Stack GA in mid-CY17, Cisco and Huawei will be available later. The hardware needs to be bought directly from the OEM or Partner. Some of the also offer a flexible investment model like the HPE Flexible Capacity. For the pricing model of Azure Stack software, Microsoft decided to deliver the licensing of Azure Stack on a pay-per-use base. This meets of course the cloud economics and there will be no upfront licensing costs for customers. Services will be typically metered on the same units as Azure, but prices will be lower, since customers operate their own hardware and facilities. For scenarios where customers are unable to have their metering information sent to Azure, Microsoft will also offer a fixed-price “capacity model” based on the number of cores in the system.

Azure Stack will be offered in two different models, Pay-as-you-use model and Capacity model. The pay-as-you-use model is licensed by Microsoft via the Enterprise Agreement (EA) or Cloud Service Provider (CSP) programs. The capacity model is available via EA only. It is purchased as an Azure Plan SKU via normal volume licensing channels. For typical use cases, Microsoft expects the pay-as-you-use model to be the “most economical” option.

The Azure Stack pricing models

Azure Stack will be offered in two different models, Pay-as-you-use model and Capacity model. The pay-as-you-use model is licensed by Microsoft via the Enterprise Agreement (EA) or Cloud Service Provider (CSP) programs. The capacity model is available via EA only. It is purchased as an Azure Plan SKU via normal volume licensing channels. For typical use cases, Microsoft expects the pay-as-you-use model to be the “most economical” option.

Azure Stack Pay-as-you-use model

For the pay-as-you-use model you will you can take advantage of the cloud economics and only pay for resources which are actually consumed, plus additional costs for the Azure Stack hardware and the operations.

Service prices:

  • Base virtual machine $0.008/vCPU/hour ($6/vCPU/month)
  • Windows Server virtual machine $0.046/vCPU/hour ($34/vCPU/month)
  • Azure Blob Storage $0.006/GB/month (no transaction fee)
  • Azure Table and Queue Storage $0.018/GB/month (no transaction fee)
  • Azure App Service (Web Apps, Mobile Apps, API Apps, Functions) $0.056/vCPU/hour ($42/vCPU/month)

Azure Stack Capacity model

For the capacity model, two packages are available which makes you license the physical cores of your Azure Stack system via an annual subscription. The packages are only available via Enterprise Agreement (EA).

  • App Service package ($400/core/year)
    Includes App Service, base virtual machines and Azure Storage
  • IaaS package ($144/core/year)
    Includes base virtual machines and Azure Storage

You will also need additional licenses if you deploy Windows Server and SQL Server virtual machines, like you would do if you are using your traditional Hyper-V servers.

What else will you need

  • Integrated System (hardware) – you will need to purchase the Azure Stack hardware from one of the OEM vendors
  • Support – you will need to purchase support from Microsoft for software support and a support package for the hardware from the hardware provider. If you already have Premier, Azure, or Partner support with Microsoft, your Azure Stack software support is included.
  • Service Providers – Service Provider can also license Azure Stack to others using the CSP (Cloud Solution Provider) channel.

Azure Stack Roadmap

At the Azure Stack GA release this summer, Microsoft will deliver Azure Stack hardware with provides from HPE, Dell and Lenovo. Later in 2017 Microsoft will also deliver Azure Stack with Cisco, Huawei and Avanade hardware. Azure Stack at GA will support 4-12 nodes, 1 single scale-unit and a single region.

Microsoft will also deliver some of the services at General Availability on Azure Stack, and will add more and more services over time. At GA we will see:

  • Virtual Machines
  • Storage (Blob, Table and Queue)
  • Networking (Virtual Networks, S2S VPN, …)
  • App Service (in Preview)
  • SQL (in Preview)
  • MySQL (in Preview)

After GA, Microsoft  will continuously deliver additional capabilities through frequent updates. The first round of updates after GA are focused on two areas: 1) enhanced application modernization scenarios and 2) enhanced system management and scale. These updates will continue to expand customer choice of IaaS and PaaS technologies when developing applications, as well as improve manageability and grow the footprint of Azure Stack to accommodate growing portfolios of applications. Please be reminded that this will not just be a product you purchase, think about it as a service which will add features and functionality over time.

The choice for your datacenter

Windows Azure Pack

Obviously, Microsoft is pushing Azure Stack since it will bring consistency to the Azure public cloud, which means your companies and people need to understand the advantages of using methods like DevOps and Infrastructure in code. This will help you to make the most out of Azure Stack and the Azure Resource Manager. If you already have Microsoft Azure know-how, this is great, because it will also apply to Azure Stack.

No worries, if you are not there yet, or for some reason this doesn’t make sense to you, Microsoft still has a great solution to build traditional Virtualization platforms together with automation using System Center, Windows Server and if needed Windows Azure Pack. Both solutions, System Center and Windows Azure Pack, will be supported in the future and will get updates.



Windows 8 Partner Devices Demo

Shows the new Windows 8 User Interface and a lot of new Windows devices.