Tag: Intel

Last updated by at .

Windows SpeculationControl PowerShell

Microsoft Guidance to protect against speculative execution side-channel vulnerabilities on Windows, Windows Server and Azure (Meltdown and Spectre)

Microsoft very quickly responded to the speculative execution side-channel vulnerabilities also called Meltdown and Spectre which affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM. Microsoft released some guidance how you should protect your devices against these vulnerabilities. The Microsoft Security Defense Team also published an article with guidance and more details on this: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities

In this blog post I tried to quickly summarize the information and link it to the right websites.

Summary

Microsoft is aware of detailed information that has been published about a new class of vulnerabilities referred to as speculative execution side-channel attacks. This industry-wide attack method takes advantage of out-of-order execution on many modern microprocessors and is not restricted to a single chip, hardware manufacturer, or software vendor. To be fully protected, updates are required at many layers of the computing stack and include software and hardware/firmware updates. Microsoft has collaborated closely with industry partners to develop and test mitigations to help provide protections for our customers. At the time of publication, Microsoft had not received any information to indicate that these vulnerabilities have been used to attack our customers.

Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS.

Warning

Microsoft addressed protect against speculative execution side-channel vulnerabilities in the latest Windows Updates. However, customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, update is required. This should be available through your device manufacturer. Surface customers will receive a microcode update via Windows update.

Guidance for Windows Client

Customers should take the following actions to help protect against the vulnerabilities:

  1. Verify that you are running a supported antivirus application before you install OS or firmware updates. Contact the antivirus software vendor for compatibility information.
  2. Apply all available Windows operating system updates, including the January 2018 Windows security updates.
  3. Apply the applicable firmware update that is provided by the device manufacturer

Windows-based machines (physical or virtual) should install the Microsoft security updates that were released on January 3, 2018. See Microsoft Security Advisory ADV180002 for updates for the following versions of Windows.

Read full guidance for Windows Client here: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Guidance for Windows Server

Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details on how to enable this update, see Microsoft Knowledge Base Article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.

Windows Servers-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update.

  • Windows Server, version 1709 (Server Core Installation) KB4056892
  • Windows Server 2016 KB4056890
  • Windows Server 2012 R2 KB4056898
  • Windows Server 2012 Not available yet
  • Windows Server 2008 R2 KB4056897

Your server is at increased risk if it is in one of the following categories:

  • Hyper-V hosts
  • Remote Desktop Services Hosts (RDSH)
  • For physical hosts or virtual machines that are running untrusted code such as containers or untrusted extensions for database, untrusted web content or workloads that run code that is provided from external sources.

There for Microsoft posted some additional registry keys to mitigations on servers. Microsoft also added some extra registry keys if you are running older versions of Hyper-V.

Read the full guidance for Windows Server and the registry keys here: Windows Server guidance to protect against speculative execution side-channel vulnerabilities

Guidance for Virtual Machines running on Hyper-V

In addition to this guidance, the following steps are required to ensure that your virtual machines are protected from CVE-2017-5715 (branch target injection):

  1. Ensure guest virtual machines have access to the updated firmware. By default, virtual machines with a VM version below 8.0 will not have access to updated firmware capabilities required to mitigate CVE-2017-5715. Because VM version 8.0 is only available starting with Windows Server 2016, users of Windows Server 2012 R2 or earlier must modify a specific registry value on all machines in their cluster.
  2. Perform a cold boot of guest virtual machines.Virtual machines will not see the updated firmware capabilities until they go through a cold boot. This means the running VMs must completely power off before starting again. Rebooting from inside the guest operating system is not sufficient.
  3. Update the guest operating system as required. See guidance for Windows Server.

Read the full guidance for Guest Virtual Machines here: Protecting guest virtual machines from CVE-2017-5715 (branch target injection)

Guidance for Surface Devices

Microsoft will provide UEFI updates for the following devices:

  • Surface Pro 3
  • Surface Pro 4
  • Surface Book
  • Surface Studio
  • Surface Pro Model 1796
  • Surface Laptop
  • Surface Pro with LTE Advanced
  • Surface Book 2

The updates will be available for the above devices running Windows 10 Creators Update (OS version 15063) and Windows 10 Fall Creators Update (OS version 16299). You will be able to receive these updates through Windows Update or by visiting the Microsoft Download Center.

Read full guidance for Surface Devices here: Surface Guidance for Customers and Partners: Protect your devices against the recent chip-related security vulnerability

Guidance for Azure

Microsoft has already deployed mitigations across the majority of our cloud services and is accelerating efforts to complete the remainder.

However, I always recommend that you also patch your operating systems and applications to be protected against other vulnerabilities.

Impact to Enterprise Cloud Services

Microsoft is not aware of any attacks on the Microsoft Cloud customers which leverage these types of vulnerabilities. Microsoft employs a variety of detection capabilities to quickly respond to any malicious activity in our enterprise cloud services.

Most of the Azure infrastructure has already received mitigations against this class of vulnerability. An accelerated reboot is occurring for any remaining hosts. Customers can check the Azure Portal for additional details.

All other enterprise cloud services such as Office 365, Dynamics 365, and Enterprise Mobility + Security have mitigations against these types of vulnerabilities. Microsoft engineering is continuing to perform analysis across the environments to confirm further protection.

Read full guidance for Microsoft Azure here: Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities

Guidance for Azure Stack

Azure Stack customers should take the following actions to help protect the Azure Stack infrastructure against the vulnerabilities:

  1. Apply Azure Stack 1712 update. See the Azure Stack 1712 update release notes for instructions about how to apply this update to your Azure Stack integrated system.
  2. Install firmware updates from your Azure Stack OEM vendor after the Azure Stack 1712 update installation is completed. Refer to your OEM vendor website to download and apply the updates.
  3. Some variations of these vulnerabilities apply also to the virtual machines (VMs) that are running in the tenant space. Customers should continue to apply security best practices for their VM images, and apply all available operating system updates to the VM images that are running on Azure Stack. Contact the vendor of your operating systems for updates and instructions, as necessary. For Windows VM customers, guidance has now been published and is available in this Security Update Guide.

Read full guidance for Microsoft Azure Stack here: Azure Stack guidance to protect against the speculative execution side-channel vulnerabilities

Guidance for SQL Server

The following versions of Microsoft SQL Server are impacted by this issue when running on x86 and x64 processor systems:

  • SQL Server 2008
  • SQL Server 2008 R2
  • SQL Server 2012
  • SQL Server 2014
  • SQL Server 2016
  • SQL Server 2017

IA64-based versions of SQL Server 2008 are not believed to be affected.

Microsoft made a list of different SQL Server scenarios depending on the environment that SQL Server is running in and what functionality is being used. Microsoft recommends that you deploy fixes by using normal procedures to validate new binaries before deploying them to production environments.

You can finde the list for scenarios and recommendations here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

There is also a list of updates for SQL Server available:

 

  • 4057122 Description of the security update for SQL Server 2017 GDR: January 3, 2018
  • 4058562 Description of the security update for SQL Server 2017 CU3 RTM: January 3, 2018
  • 4058561 Description of the security update for SQL Server 2016 CU7 SP1: January 3, 2018
  • 4057118 Description of the security update for SQL Server 2016 GDR SP1: January 3, 2018
  • 4058559 Description of the security update for SQL Server 2016 CU: January 6, 2018
  • 4058560 Description of the security update for SQL Server 2016 GDR: January 6, 2018
  • 4057114 Description of the security update for SQL Server 2008 SP4 GDR: January 6, 2018
  • 4057113 Description of the security update for SQL Server 2008 SP3 R2 GDR: January 6, 2018

Read the full guidance for SQL Server here: SQL Server guidance to protect against speculative execution side-channel vulnerabilities

Verifying protections again speculative execution side-channel vulnerabilities

The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

You can find more here: Use PowerShell to verifying protections again peculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

 

More information on how to mitigate speculative execution side-channel vulnerabilities can be found here: ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities



Windows SpeculationControl PowerShell

Use PowerShell to verifying protections again speculative execution side-channel vulnerabilities CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

As you might have seen in the last couple of days, there are huge news about some security bugs in CPUs from different vendors (not just intel). The Microsoft Security Response Center released a PowerShell Module on the PowerShell Gallery called SpeculationControl, which verifies if your system is protected or not.

Microsoft is aware of a new publicly disclosed class of vulnerabilities that are referred to as “speculative execution side-channel attacks” that affect many modern processors and operating systems, including chipsets from Intel, AMD, and ARM.

Note This issue also affects other systems, such as Android, Chrome, iOS, and MacOS, so we advise customers to seek guidance from those vendors.

Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more information.

Microsoft has not yet received any information to indicate that these vulnerabilities have been used to attack customers. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers. To get all available protections, hardware/firmware and software updates are required. This includes microcode from device OEMs and, in some cases, updates to antivirus software as well.

Enabled protections will show in the output as “True” like in this screenshot here

Windows SpeculationControl PowerShell

So make sure you patch your systems, for Windows and Windows Server are already patches available and the Surface Familiy already got some firmware updates.

Also check out Mike F Robbins (Microsoft MVP) how he explains how to use the SpeculationControl PowerShell module on remote machines.



Windows Server 2016 Whats new in Hyper-V

My Hardware Recommendations for Windows Server 2016

Many people are right now asking me about what they have to look out for, if they are going to buy hardware for there next Windows Server 2016 deployment using Hyper-V, Storage nodes or just physical servers. Of course you should normally not just buy hardware and design the solution after that, you should create an architecture for your datacenter first and than buy hardware for your needs. But still there are several things to look out for, this is probably not easy to say right now but here are several thing I would recommend to you.

My recommendations

  • Windows Server Logo: Make really sure that hardware is certified for Windows Server and Windows Server 2016 when the certification is available
  • Network Adapters:
  • Processor / CPU
    • A 64-bit processor with second-level address translation (SLAT).
    • Of course recommend you do get the latest server grade CPUs from Intel or AMD to get the latest CPU functionalities
    • Think about the new licensing for Windows Server 2016 which will be core based
  • TPM Trusted Platform Module v2.0 – especially for the Hyper-V feature Shielded Virtual Machines or/and BitLocker support.
  • Storage
    • If you are going to deploy new Storage in your Datacenter, make sure you have a look at Storage Spaces and SMB Direct (Hyper-V over SMB) and especially the new Storage Spaces Direct feature, which I will write a bit about later this month. This also allows you to do Hyper-Converged scenarios running Storage and Hyper-V on the same physical hardware.
    • If you are goin to deploy Storage Spaces Direct make sure you choose a good quality of SSDs or NVMe devices. Especially for the caching devices choose Write-Intensive NVMe or SSD disks.

This are just some recommendations if I would buy new hardware I would also look at these features. Of course you don’t need all these features in every scenario, but if you want to make the most out of it, you should definitely look at them. Here are some feature related requirements:

Discrete device assignment

  • The processor must have either Intel’s Extended Page Table (EPT) or AMD’s Nested Page Table (NPT).
  • The chipset must have:
    • Interrupt remapping — Intel’s VT-d with the Interrupt Remapping capability (VT-d2) or any version of AMD I/O Memory Management Unit (I/O MMU).
    • DMA remapping — Intel’s VT-d with Queued Invalidations or any AMD I/O MMU.
    • Access control services (ACS) on PCI Express root ports.
  • The firmware tables must expose the I/O MMU to the Windows hypervisor. Note that this feature might be turned off in the UEFI or BIOS. For instructions, see the hardware documentation or contact your hardware manufacturer.

Shielded Virtual Machines

  • UEFI 2.3.1c — supports secure, measured boot
  • The following two are optional for virtualization-based security in general, but required for the host if you want the protection these features provide:
  • TPM v2.0 — protects platform security assets
  • IOMMU (Intel VT-D) — so the hypervisor can provide direct memory access (DMA) protection

for more detailed specification check out Microsoft TechNet: System requirements for Hyper-V on Windows Server 2016



Hyper-V Server: Enable Jumbo Frames on Intel NICs

Hyper-V R2 SP1

If you are using iSCSI as storage connection you can win a lot of performance by enabling jumbo frames. It is important that your Storage, Switch and Network Card do support the use of jumbo frames.

Now if all parts do support jumbo frames you have to enable this on your network adapters.

First you have to enable this for the operating system. This is very simple done with the netsh command line tool.

jumboframes2

Now if you are Intel network cards you have to enable jumbo frames in the registry.

Here you can see all of your network interfaces and you can simply change the “*jumbopacket” value to 9014.

If you don’t now which network interfaces are the iSCSI interfaces you can check the interface GUID here:

jumboframes

If you need more information on iSCSI und Hyper-V check out this blog post.



Ordered HP EliteBook 8460w

HP EliteBook 8460wSome days ago I compared the new HP EliteBook and ProBook series. Now I decided to buy the HP EliteBook 8460w mobile workstation. I think this is the best option between performance and batterylife.

Here the 8460w configuration I ordered:

  • HP EliteBook 8460w Mobile Workstation
  • Intel® Core™ i7-2630QM Processor (2.0 GHz, 6 MB L3 Cache)
  • Mobile Intel QM67 chipset
  • 14.0-inch diagonal LED-backlit HD+ anti-glare (1600 x 900) with 720p HD Webcam
  • AMD FirePro™ M3900 w/1 GB gDDR3
  • 8GB 1333 MHz DDR3 SDRAM (2D)
  • 500 GB 7200 rpm 2.5-inch hard drive
  • DVD+/-RW SuperMulti DL Drive
  • DualPoint (TouchPad and PointStick)
  • Intel Centrino® Ultimate-N 6300 (3×3)
  • Bluetooth® Wireless Technology 2.1
  • TPM & Fingerprint
  • HP 9-Cell 100 Wh Li-Ion Battery
  • 56K v.92 high speed modem
  • HP Elite Support with limited 3 year standard parts and labor warranty 3/3/3

As I said the main reasons for me to buy this notebook, are the performance, the form factor, the batterylife and of coure the design. I am sure the EliteBook 8460p would be enought performance for me, but I really like the color of the EliteBook w-series notebooks.

Since HP will not release the EliteBook 8460w in Europe I ordered the notebook directly in the HP Online Store with my myus.com account.



Cisco UCS Hyper-V Cluster – Important Updates for the Hyper-V Cluster – Part 9

Since we have installed our Microsoft Hyper-V Cluster on the Cisco UCS, Microsoft released some patches for Hyper-V, Windows and Clustering.

There are two really important Updates which I would recommend for Hyper-V Clusters.

  • The first is Service Pack 1 for Windows Server 2008 R2 and Hyper-V Server 2008 R2. Service Pack 1 brings a lot of Hotfixes for Hyper-V, Failover Cluster Feature and other Microsoft Server features. And it brings also a two new features called Dynamic Memory and RemoteFX.
  • The second one is a hotfix for Servers with Intel Westmere or Sandy Bridge and has a large amount of physical memory. Most of the Cisco UCS Blades will meet this configuration. You can get more information on this Hyper-V hotfix here.

This two updates will bring you a much better experience with your Hyper-V Cluster. It will improve performance, stability and it will add new features.



HP Elitebook comparison

HP-EliteBook-8460w-8560w-and-8760w-header

I thinking about buying a new notebook and since HP, Dell and other vendors released new notebooks based on Intel Sandy Bridge this would be the perfect time to replace my current MacBook Pro with a new Windows Laptop.

So basically I made this HP Elitebook comparison for all Important things for me based on the Swiss data. (In Switzerland not every model is available.) I also took always the best available option for me.

Probook 6460bProbook 6560bElitebook 8460pElitebook 8560pElitebook 8460wElitebook
8560w
CPUi5-2520Mi5-2520Mi7-2620Mi7-2620Mi7-2630QMi7-2630QM
RAM16GB16GB16GB16GB16GB32GB
GraphicsAMD HD 6470M 512MBAMD HD 6470M 512MBAMD HD 6470M 1GBAMD HD 6470M 1GBAMD FirePro M3900 1GBAMD FirePro M5950 1GB
Display14.0 1600×90015.6 1600×90014.0 1600×90015.6 1920×108014.0 1600×90015.6 1920×1080
3G yesyesyesyesyesyes
Glass Trackpadnonoyesyesyesyes
USB 3.0nonoyesyesyesyes
Weight2.02kg2.46kg2.07kg2.73kg2.22kg3kg
Thickness3.4cm3.4cm3.4cm3.4cm3.2cm3.45cm
Designgoodgoodokayokayawesome good
Battery lifeokayokayvery goodgoodgoodbad
Battery life+nonoyesyesyesyes
Docking stationyesyesyesyesyesyes
incl. warranty1 year1 year3 years3 years3 years3 years
Pricegoodgoodokayokayokayokay

Maybe there are some mistakes in this chart but the most things should be right. And I don’t say one is better than the other one, clearly they are made for different tasks and workloads.

Other things:

  • I will add a Intel SSD
  • I will use 8GB RAM
  • I will not use an optical drive

What’s important for me:

  • I need long battery life up 6-8h (more would be better)
  • I need fast disk speed. Since I used a SSD I will never use a HDD again.
  • I don’t need a lot of graphic power
  • Resolution should be 1600×900 or higher
  • the notebook should be light and not to think
  • CPU power, should be enough to run Hyper-V for demos (boot from VHD)

Gallery: