Spectre / Meltdown vulnerability on the domain controller

422 views
Skip to first unread message

Max Coder

unread,
Feb 19, 2025, 10:41:38 AMFeb 19
to ntsysadmin
Hi,

I set the following reg keys for Spectre / Meltdown vulnerability on the domain controller.
Spectre / Meltdown: Mitigations without disabling hyper threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

I am using Microsoft AD Assessment tool and it gives me warning like below.

FeatureSettingsOverride is missing or incorrect on this machine. This registry setting does not exist by default. A value of 0 indicates it could be missing.

Only the FeatureSettings key caught my attention. could this be the problem?
What should the FeatureSettings value be?

Regedit screenshot :
https://imgur.com/a/g4UnFIu

Morris, Darian

unread,
Feb 19, 2025, 10:52:52 AMFeb 19
to ntsys...@googlegroups.com

Qualys guidelines:

 

To enable multiple mitigation with Hyperthreading enabled the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f OR REG_DWORD /d 8388680 /f

To enable multiple mitigation with Hyperthreading disabled the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8264 /f OR REG_DWORD /d 8396872 /f


reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

 

We have it on our domain controllers without issue.

 

Good Luck

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Max Coder
Sent: Wednesday, February 19, 2025 10:42 AM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Spectre / Meltdown vulnerability on the domain controller

 

CAUTION: This email originated outside of Children's. DO NOT click links or open attachments unless you recognize and/or trust the sender. Visit the Phishing Hub on Careforce for more information about identifying legitimate messages. Forward suspicious emails to sp...@choa.org

Unsubscribe

It appears that you have subscribed to commercial messages from this sender. To stop receiving such messages from this sender, you can unsubscribe.


Click here to unsubscribe

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/ce77ecd1-8c9e-4556-9972-c5b9aff783d3n%40googlegroups.com.

maxcoder1

unread,
Feb 19, 2025, 12:03:09 PMFeb 19
to ntsys...@googlegroups.com
I have some questions.

1-    On DC servers, I set FeatureSettingsOverride and FeatureSettingsOverrideMask as follows, correct?

Spectre / Meltdown: Mitigations without disabling hyper threading:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

2  -  Under  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management  , Is there a FeatureSettings value on your DC servers? If so, what is the value? Is it possible to send a screenshot?

Message has been deleted

Charles F Sullivan

unread,
Feb 19, 2025, 12:23:08 PMFeb 19
to ntsys...@googlegroups.com
Regardless of whether they are DCs or not, if hyper-threading is *enabled*, then your settings already look correct to me.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBoOzKPhW96b1OqLhM%2BO_f8ha3S%3D-CYtSvxqzFkcQWmKw%40mail.gmail.com.


--

Charlie Sullivan

Principal Windows Systems Administrator

maxcoder1

unread,
Feb 19, 2025, 12:39:58 PMFeb 19
to ntsys...@googlegroups.com
Hi Charlie,

I understand that this is true if the server is physical and hyper-threading is enabled. right?

Physical machine :

wmic
wmic:root\cli>CPU Get NumberOfCores,NumberOfLogicalProcessors /Format:List

NumberOfCores=8

NumberOfLogicalProcessors=16

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3D%2BYx0TepAso1_VgWEA-ysAfL%3DL2UKoaje1YcpdKDy0NA%40mail.gmail.com.

Charles F Sullivan

unread,
Feb 19, 2025, 3:37:43 PMFeb 19
to ntsys...@googlegroups.com
The setting is for HT enabled computers whether physical or virtual. Also I don't think processor count matters.

Beyond that there is the physical architecture.Intel and AMD have different settings. My assumption is that your servers are Intel, as are mine, thus your settings are good in that regard.

Remember that you need to have up to date Microcode, which relies partly on the age of the hardware. If the hardware is new enough you may be protected already, but you need to find out.

If you do need to update the microcode, it will require a cold reboot (shut down completely, then power on).

I think that covers it, but the MS documentation also gets into the different variants, which might also be a factor and which I am not enlightened about.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rCxr39x94Dw_%2Bt29Pnm_FC%2BKF3gbzXy1BNLMnC7Sf0Q1A%40mail.gmail.com.

Charles F Sullivan

unread,
Feb 19, 2025, 4:03:57 PMFeb 19
to ntsys...@googlegroups.com
I gave up on this a few years ago, honestly, but I may need to reassess it myself. Take a look at this entire article:  Spotlight CVE-2022-0001 false positive : r/crowdstrike
The actual settings stated clearly for both HT enabled and not enabled are posted by "arrrghhh3" about halfway down.

You may need to look further into this though, since these settings are new to me. That's a disclaimer. I would try it on a test machine and see what the AD assessment tool says, though MS may be looking for the wrong value!

I should update my settings as well, test servers first of course.

maxcoder1

unread,
Feb 20, 2025, 1:30:13 AMFeb 20
to ntsys...@googlegroups.com
--Remember that you need to have up to date Microcode, which relies partly on the age of the hardware. If the hardware is new enough you may be protected already, but you need to find out.

I am using  this machine. HP DL360 Gen10 - Intel Xeon Silver 4208  How do I know if it is already protected?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3DEWZOLJWiY7PzZsLMAxmNOTO7eHC8ZA2Yv3Bzgm%2BHd9A%40mail.gmail.com.

Erik Goldoff

unread,
Feb 20, 2025, 8:06:07 AMFeb 20
to ntsys...@googlegroups.com
sounds like maybe the Gen 10 proliant is out of support, but I'd still start by asking HP tech support, just my opinion, since you're talking enterprise level instead of just a consumer resource

erik

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rBR2%3D8HUgi-yqpbN8koX1_0srsQbS7qw7iPp4RfggbyBA%40mail.gmail.com.

Reid Guanti

unread,
Feb 21, 2025, 11:51:24 AMFeb 21
to ntsysadmin
The FeatureSettingsOverrideMask is correct at 3. However, the FeatureSettingsOverride value is dependent on whether hyperthreading is enabled.

Run these commands from cmd to determine that:

wmic

CPU Get NumberOfCores,NumberOfLogicalProcessors /Format:List

The output will be something like:

NumberOfCores=2
NumberOfLogicalProcessors=2

If those numbers match, then hyperthreading is disabled and the value should be 8264. If they are different, then use 72. 

--Reid
Reply all
Reply to author
Forward
0 new messages