You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/virtual-machines-common-mitigate-se.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,29 +45,29 @@ More information about how security is integrated into every aspect of Azure is
45
45
46
46
## Keeping your operating systems up-to-date
47
47
48
-
While an OS update is not required to isolate your applications running on Azure from other Azure customers, it is always a best practice to keep your software up-to-date. The latest Security Updates for Windows contain mitigations for these vulnerabilities. Similarly, Linux distributions have released multiple updates to address these vulnerabilities. Here are our recommended actions to update your operating system:
48
+
While an OS update isn't required to isolate your applications running on Azure from other Azure customers, it is always a best practice to keep your software up-to-date. The latest Security Updates for Windows contain mitigations for these vulnerabilities. Similarly, Linux distributions have released multiple updates to address these vulnerabilities. Here are our recommended actions to update your operating system:
49
49
50
50
| Offering | Recommended Action |
51
51
|----------|---------------------|
52
52
| Azure Cloud Services | Enable [auto update](../articles/cloud-services/cloud-services-how-to-configure-portal.md) or ensure you're running the newest Guest OS. |
53
53
| Azure Linux Virtual Machines | Install updates from your operating system provider. For more information, see [Linux](#linux) later in this document. |
54
54
| Azure Windows Virtual Machines | Install the latest security rollup.
55
-
| Other Azure PaaS Services | There is no action needed for customers using these services. Azure automatically keeps your OS versions up-to-date. |
55
+
| Other Azure PaaS Services | There's no action needed for customers using these services. Azure automatically keeps your OS versions up-to-date. |
56
56
57
57
## Additional guidance if you're running untrusted code
58
58
59
59
Customers who allow untrusted users to execute arbitrary code may wish to implement some extra security features inside their Azure Virtual Machines or Cloud Services. These features protect against the intra-process disclosure vectors that several speculative execution vulnerabilities describe.
60
60
61
61
Example scenarios where more security features are recommended:
62
62
63
-
- You allow code that you do not trust to run inside your VM.
63
+
- You allow code that you don't trust to run inside your VM.
64
64
-*For example, you allow one of your customers to upload a binary or script that you then execute within your application*.
65
-
- You allow users that you do not trust to log into your VM using low privileged accounts.
65
+
- You allow users that you don't trust to log into your VM using low privileged accounts.
66
66
-*For example, you allow a low-privileged user to log into one of your VMs using remote desktop or SSH*.
67
67
- You allow untrusted users access to virtual machines implemented via nested virtualization.
68
68
-*For example, you control the Hyper-V host, but allocate the VMs to untrusted users*.
69
69
70
-
Customers who do not implement a scenario involving untrusted code do not need to enable these extra security features.
70
+
Customers who don't implement a scenario involving untrusted code don't need to enable these extra security features.
71
71
72
72
## Enabling additional security
73
73
@@ -90,7 +90,7 @@ Your target operating system must be up-to-date to enable these extra security f
90
90
91
91
To validate enabled protections against these vulnerabilities, see [Understanding Get-SpeculationControlSettings PowerShell script output](https://support.microsoft.com/topic/understanding-get-speculationcontrolsettings-powershell-script-output-fd70a80a-a63f-e539-cda5-5be4c9e67c04).
92
92
93
-
If protections are not enabled, please [contact Azure Support](https://aka.ms/microcodeenablementrequest-supporttechnical) to enable additional controls on your Azure VM.
93
+
If protections aren't enabled, please [contact Azure Support](https://aka.ms/microcodeenablementrequest-supporttechnical) to enable additional controls on your Azure VM.
94
94
95
95
**Step 2:** To enable Kernel Virtual Address Shadowing (KVAS) and Branch Target Injection (BTI) OS support, follow the instructions in [KB4072698](https://support.microsoft.com/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution) to enable protections using the `Session Manager` registry keys. A reboot is required.
0 commit comments