Friday, March 3, 2017

Securing the boot process

The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the system early and prevent antimalware software from doing its job. This type of malicious code is often called a rootkit (or bootkit). The best way to avoid having to deal with it is to secure the boot process so that it’s protected from the very start.

Windows 10 supports multiple layers of boot protection that were introduced with Windows 8.1 and are not available in Windows 7 and earlier versions. Some of these features are available only if specific types of hardware are installed.

Here is a description of the four numbered elements:

■ Secure Boot The most basic protection is the Secure Boot feature, which is a standard part of the UEFI architecture. (It’s defined in Chapter 27 of the UEFI 2.3.1 specification.) On a PC with a conventional BIOS, anyone who can take control of the boot process can boot using an alternative OS loader, potentially gaining access to system resources. When Secure Boot is enabled, you can boot only by using an OS loader that’s signed using a certificate stored in the UEFI firmware. Naturally, the Microsoft certificate used to digitally sign the Windows 8.1 and Windows 10 OS loaders are in that store, allowing the UEFI firmware to validate the certificate as part of its security policy. This feature must be enabled by default on all devices that are certified for Windows 8.1 or Windows 10 under the Windows Hardware Certification Program.

■ Early Launch Antimalware (ELAM) Antimalware software that’s compatible with the advanced security features in Windows 8 and later versions can be certified and signed by Microsoft. Windows Defender, the antimalware software that is included with Windows 10, supports this feature; it can be replaced with a third-party solution if that’s what your organization prefers. These signed drivers are loaded before any other third-party drivers or applications, allowing the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.

■ Trusted Boot This feature verifies that all Windows boot components have integrity and can be trusted. The bootloader verifies the digital signature of the kernel before loading it. The kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component.

■ Measured Boot This feature, which requires the presence of a TPM on a device running Windows 8.1 or Windows 10, takes measurements of the UEFI firmware and each of the Windows and antimalware components as they load during the boot process. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. During each subsequent boot, the same components are measured, allowing the current values to be compared with those in the TPM.

For additional security, the values recorded during Measured Boot can be signed and transmitted to a remote server, which can then perform the comparison. This process, called remote attestation, allows the server to verify that the Windows client is secure.

For Windows 10 devices, Microsoft has introduced a new public API that allows mobile-device-management software to access a remote attestation service called Windows Provable PC Health (PPCH). PPCH can be used to allow or deny access to networks and services by devices, based on whether they can prove they’re healthy.

Source of Information : Microsoft Introducing Windows 10 For IT Professionals

No comments: