Configure-RegistryForIntel.ps1
|
<#PSScriptInfo .VERSION 1.0.1 .GUID 6a1f5dde-8f47-4eec-ab39-f0a755423978 .AUTHOR chrisblackgb .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Verify and/or Set Registry settings for speculative execution side-channel vulnerabilities #> Function Configure-RegistryForIntel { <# .SYNOPSIS Verify and/or Set Registry settings for speculative execution side-channel vulnerabilities .DESCRIPTION Verify and/or Set Registry settings for speculative execution side-channel vulnerabilities: This advisory addresses the following vulnerabilities: CVE-2017-5715 (branch target injection) CVE-2017-5753 (bounds check bypass) CVE-2017-5754 (rogue data cache load) .EXAMPLE Configure-RegistryForIntel -CheckValues .EXAMPLE Configure-RegistryForIntel -CheckValues -Create -Enable .EXAMPLE Configure-RegistryForIntel -CheckValues -Disable .EXAMPLE Configure-RegistryForIntel -CheckValues -Create -Enable -WhatIf .EXAMPLE Configure-RegistryForIntel -CheckValues -Create -Enable -WhatIf .PARAMETER CheckValues Manatory Parameter that will check registry keys before and after execution .PARAMETER Create Not Manatory Parameter that will create two registry keys .PARAMETER Enable Not Manatory Parameter that will set two registry keys to enable protection against the speculative execution .PARAMETER Disable Not Manatory Parameter that will set two registry keys to disable protection against the speculative execution .PARAMETER Remove Not Manatory Parameter that will remove two registry keys .LINK https://support.microsoft.com/en-gb/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution #> [CmdletBinding( SupportsShouldProcess = $True )] param ( [Parameter(Mandatory=$true)] [AllowNull()] [AllowEmptyString()] [switch]$CheckValues, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Create, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Enable, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Disable, [Parameter(Mandatory=$false)] [AllowNull()] [AllowEmptyString()] [switch]$Remove ) # Clear Errors $err = $null # Check Values before If($CheckValues) { $CheckValuesBefore = (Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management") | Select-Object FeatureSettingsOverride, FeatureSettingsOverrideMask Write Before $CheckValuesBefore } # Create If($Create) { New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -PropertyType "DWORD" -Value "3" -Name "FeatureSettingsOverride" -ErrorAction SilentlyContinue -Verbose New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -PropertyType "DWORD" -Value "3" -Name "FeatureSettingsOverrideMask" -ErrorAction SilentlyContinue -Verbose } # Remove If($Remove) { Remove-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -ErrorAction SilentlyContinue -ErrorVariable err -Verbose #-WhatIf If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Remove-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverrideMask" -ErrorAction SilentlyContinue -ErrorVariable err -Verbose #-WhatIf If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} } # Enable If($Enable) { Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -ErrorAction SilentlyContinue -ErrorVariable err If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Else{Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -Value "0" -Verbose} Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverrideMask" -ErrorAction SilentlyContinue -ErrorVariable err If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Else{Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverrideMask" -Value "3" -Verbose} } # Disable If($Disable) { Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -ErrorAction SilentlyContinue -ErrorVariable err If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Else{Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -Value "3" -Verbose} Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverrideMask" -ErrorAction SilentlyContinue -ErrorVariable err If($err){Write-Host "$err You need to create it first" -ForegroundColor Red} Else{Set-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverrideMask" -Value "3" -Verbose} } # Check Values after If($CheckValues) { Write After $CheckValuesAfter = (Get-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management") | Select-Object FeatureSettingsOverride, FeatureSettingsOverrideMask $CheckValuesAfter } } |