Using the SpeculationControl Module for Spectre/Meltdown Vulnerability Management

How to use the SpeculationControl Module both locally and remote, and a quick overview of the output of this function in relation to firmware and OS level remediation.

Prerequisites include: SpeculationControl Module Windows Server PowerShell 5.1 or PowerShell Core Relevant TechNet Article: https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

Welcome in this video we're going to review the speculation control module available from the PS gallery and how you can use it to determine if systems in your environment are vulnerable to the Spectre and meltdown vulnerabilities first off you need the speculation control module installed local to at least one machine that has access to the others. As we could see we have successfully installed the module from the PS gallery and we have confirmed that it is available here in my local shell. The speculation control module only has one function available. This one function does multiple duties at the same time, it will verify the firmware an all the vulnerabilities that exist for both AMD and Intel CPUs. The information written out to the console is an object that you can pipe out to a CSV file if you need for reporting. It did detect my CPU and check for the remediation if they were in place. You should cross reference this information output to the console or to CSV with the documentation that Microsoft provides I've supplied this as well. In the snip notes each of the blue title sections. Here details a different CVE or vulnerability that may be present on your system and has just been scanned for. There will be different mitigation techniques for each of these so cross reference with that documentation in the snip notes to invoke this command across the network instead of installing the module through a PS session onto a remote server and then running that function. There's a much more efficient way to do this. So the most efficient way for you to retrieve information about this vulnerability existing on other systems in your environment is not to install it locally on each of those servers and then have it kick some sort of report back to a central hub. Instead, you're going to want to invoke a command over the network in the provided command here. I'm going to invoke the command and in my script block. I'm going to specify the function that exists in my local session that is the get speculation control settings function from my local. PowerShell Console here, I'm also going to specify a server on my network could be AMD or Intel based. And then the credentials to access that machine over the network. The output is similar to when we ran this against my local machine. However, this remote server is actually an Intel based server. So you will see different. CVEs that you need to cross reference with that same documentation from earlier this is one of the nice features of the speculation control module that this one function will work across any type of hardware. Luckily, a lot of the vulnerability management steps that need to be taken to remediate this are included automatically in the Server 2019 version. Of Windows Server, however, if you have 2016 or earlier, you will need to take those manual steps such as registry key changes. There will also be some Intel and AMD specific firmware updates that need to be completed. To be completely remediated if we wished to export this to CSV and run this against multiple servers. I do have 2 separate servers here that I'm going to execute this against. You could see as each of the commands were invoked it returned it to the console. However, it didn't. Give me that final report at the end, which is what is going to be present in our CSV. Let's take a look at that now shall we I just want to get some of the general contents of my CSV file. That, it does output both of the servers that I ran against and then the different information for each so the Runspace ID that the powershell session ran and as well as the 2 vulnerability statuses that I chose to provide here. To see a full list of everything in that CSV. Just import it into the powershell session and see the contents and the results for all of your vulnerability patching. I hope that this video has been informative and how to use the speculation control module in your day-to-day vulnerability management practices. This is a set of vulnerabilities that has become more and more apparent in everyone's environment and the need for validation of these being patched is never more relevant.