Disabling Spectre/Meltdown mitigations on a server especially would be the dumbest thing imaginable. These attacks are not restricted to JavaScript, they are side-channel attacks and have a huge exploitable surface. Just look at the number of patches for the MS SQL server needed to mitigate:
If your server is not reachable from untrusted sources, and you are running only what you trust, it is prudent to disable mitigation’s and make use of the extra performance.
Example, I run many compute nodes (only private network) in my HPC cluster with mitigation’s off. If an attacker could reach the compute nodes over the network to push the attack payload, I’ve already been heavily compromised that these attacks are just insult to the injury.
If you run a database server that can never be reached directly by an attacker. You may spend your time watching your application server and let the DB server use the extra oomph.
Naturally, everyone must determine their level of risk aversion and take the steps they feel most prudent. I've not heard this perspective before. Thank you for sharing!
It's basically the historical approach to enterprise security: secure the perimeter, and don't worry about the intranet. It's still hugely popular in enterprise IT. Cryptolocker/Wannacry bit these IT departments hard and they've sort of slowly learned some lessons, but there's huge inertia, low budget, and these things are changing glacially.
No, I think you're mixing things up, these two are two distinct things: 1) the old "M&M" approach of securing just the perimeter is basically asking for trouble, but 2) doing proper risk assessment and choosing performance over security for one particular setup.
Scroll down to the table and many paragraphs in which they describe when the various scenarios in which the various mitigations are recommended. That wouldn't be needed at all if not having them was always 'the dumbest thing imaginable'.
Can you point out where Microsoft recommends that you do nothing besides if the user is using "Azure SQL Database and Data Warehouse" (and that's because mitigations are already deployed on their cloud services)?
Microsoft has deployed mitigations across all our cloud services.
https://support.microsoft.com/en-us/help/4073225/guidance-pr...