I'm looking for advice on the best practices for hyperthreading on critical servers like root Certificate Authorities or Domain Controllers. Should we disable hyperthreading due to vulnerabilities like Spectre, or is it safe to leave it enabled, especially on newer hardware? I'm aware that older models, such as the Dell PowerEdge R630, are more at risk, but what's the consensus for the latest machines? Any insights would be greatly appreciated!
4 Answers
It really depends on your organization’s risk tolerance and how much performance loss you can accept. There’s no one-size-fits-all answer; it's about finding that balance between security and performance.
Honestly, if someone's exploiting vulnerabilities like Spectre, things are already pretty dire, and you might be in trouble regardless of hyperthreading. I wouldn’t worry too much about it.
As long as you’re running the latest patches, I don't see why you can’t keep hyperthreading enabled. It’s all about managing the risks appropriately.
In my experience, hyperthreading is more of a concern in public cloud environments than on local data centers. If you're really worried about security, disabling HT or moving sensitive VMs to different hosts might be the safest bet.
I had a chat with our new security admin, and we agreed that if the hackers have a payload to exploit those vulnerabilities, they’ve already gained full access. It’s a bit late to worry about HT by that point!