Measured Boot is a relatively new feature introduced in Windows 8 to help protect your device (PC) from rootkits and other malware. Measured Boot will check each start-up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM) or Intel
Platform Trust Technology (PTT). The recorded measurement can be compared with a golden value, i.e. the expected unique measurement that was calculated on a known, good system. If the measurement does not match the golden measurement the system integrity is considered compromised. The ensures before anything is started up in the boot sequence it will be compared to the TPM to make sure the software is trustworthy and not infected by a virus,
and then makes available a log that can be tested remotely to verify the boot state of the client. Secure Boot and Measured Boot are currently only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows also have them. When used together, Secure Boot, Trusted Boot, and Measured Boot can vouch for a
reliable OS platform. Below are some related articles: How to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM, “This device cannot use a
Trusted Platform Module, allow BitLocker without a compatible TPM when turning on Bitlocker“, how to
enable Bitlocker Pre-Boot Authentication via the Group Policy, how to enable or
disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to view BitLocker disk encryption status in Windows, “Insight on Full Disk Encryption with PBA / without PBA:
UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption“, and how to deploy Microsoft
BitLocker Administration and Monitoring Tool.
Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it and as such, they can completely hide. Most times, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, and keystrokes, transfer private files, and capture cryptographic data. Different types of rootkits load during
different phases of the startup process and they are as follows.
Windows 10 supports four features to help prevent
Secure Boot: When a device starts, the first step is to find the operating system (OS) bootloader. Note: devices without Secure Boot runs whatever bootloader is on the PC’s hard drive and there isn’t any way for the device to determine if it is a trusted operating system or a rootkit. Trusted
Boot: Trusted Boot takes over where Secure Boot stops. Early Launch Anti-Malware
(ELAM): Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, Note: Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task to examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. Measured Boot: Most antimalware software is extremely very good at detecting Starting from Windows 8, a new feature was introduced called “Measured Boot”, which measures each component, from the firmware up through the boot start drivers, stores those measurements in the Trusted Platform Module (TPM) on the machine, and then makes available a log that can be tested remotely to verify the boot state of the client. Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
In summary, the Measured Boot feature then provides antimalware apps with a trusted (resistant to spoofing and tampering) log of all boot components that started before the antimalware software. Antimalware software uses this log to determine whether components that were initiated before it are trustworthy or if they are infected with malware in the following ways discussed below.
Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. In your environment, the system administrator has control of how Measured Boot information is used. In end-user scenarios, for example, online banking), the consumer must opt-in to use Measured Boot for the specific service. A question that you might want to ask in the comment session: Since an operating system can only enforce its security policies only while running (active). How can it protect the data that resides in the storage drive when it is offline or when a malicious user has physical access to the system internals? – This is where Bitlocker Drive Encryption comes in. Windows Measured Boot helps to seal the Bitlocker key to TPM using the boot measurements. If the boot parameters get changed, it will result in a different measurement. TPM only unseals a key if the measurements match the measurement values with which the key was sealed. This ensures that even if the system is compromised physically, the malicious user won’t be able to get access to the data residing in the storage drive easily. I have added some hyperlinks in the first chapter, please refer to those and the following hyperlinks as well: A guide to how Bitlocker Network Unlock works, how to backup existing and new BitLocker recovery keys to Active Directory(AD), and Unable to install Microsoft Bitlocker Administration: Uninstall your current version of MBAM and run setup again. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session. Which Privacy Protection uses four colors to indicate the expected sharing limitations that are to be applied?The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).
Which of the following is an application protocol for exchanging cyberthreat intelligence over https?Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging CTI over HTTPS.
Which protection ensures that only authorized parties can view the information?Confidentiality, or data privacy: The means used to ensure that information is made available only to users who are authorized to access it. This ensures that only authorized users can view sensitive data.
Which type of malware relies on LOLBins?Which type of malware relies on LOLBins? Fileless virus Which of the following is known as a network virus? Worm Josh is researching the different types of attacks that can be generated through a botnet.
|