KB4088880: Windows Server 2012 March 2018 Security Update

Tenable Plugin : Plugin #108292

Tenable output

  The following registry keys need to be set to the appropriate values as dictated in ADV180002.

  This is required to enable the fix for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754:

  SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverride

  SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\FeatureSettingsOverrideMask

  SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\MinVmVersionForCpuBasedMitigations

  See KB Article 4072698 for more details.

Mitigation: 

 Mitigating this vulnerability requires you to make changes to the registry. Please backup your registry before any changes. Also the system needs to be restarted for the changes to take affect. Since this is Hyper V host specific, please shutdown all virtual machines in the host before shutdown.  Also if the Hyper V Host has clustering enabled , the live migration of hosts from the fixed registry Hyper V to Non Fix Hyper V host may fail. So it is recommended to apply the fix simultaneously in all clustered Hyper V hosts

To enable the fix:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f 


More details at

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

Note:

These posts are more focused towards being complaint in PCI and various other security scans. There are microcode available from respective chip vendors to mitigate this vulnerability but which is beyond the scop of this post