Windows 10: Securing the Boot Process
An operating system’s principal function is to provide a safe execution environment in which users’ programs run. This requires a basic framework for uniform program execution with a uniform and standardized way to use the hardware and access system resources in a secure, coordinated, and orderly manner. The kernel provides this basic service in all but the most simplistic operating systems. To provide these fundamental capabilities to the operating system, several portions of software initialize and run at system boot time. Typically, each piece implements specific functions and exposes a well-defined programming interface to other portions of code that might use them.Some of the most aggressive forms of malware today try to insert themselves directly into the boot process as early as possible so that they can take control of the system early and prevent anti-malware software from doing its job. This type of malicious code is often referred to as a rootkit. Rootkits have two primary functions: remote command/control (back door) and software eavesdropping. Rootkits are dangerous and can allow someone, legitimate or otherwise, to administratively control a computer. This means executing files, accessing logs, monitoring user activity, altering the computer’s configuration, and even lead to exfiltration of sensitive data.An excellent way to avoid dealing with rootkits all together is to secure the boot process so that it is protected from the moment it is launched and that is what Microsoft, starting with Windows 8.1 and continuing with Windows 10, continues to do. Windows 10 continues to support multiple layers of boot protection with the only drawback being that in order to take full advantage of some of these key security features the operating system must be running on modern hardware. Although you can install and run Windows 10 on older hardware you will have the best results and be able to take full advantage of these layered protections if the hardware platform is current.Let’s take a look at and walk through the following diagram of the Windows 10 boot process.
- Secure Boot UEFI (Unified Extensible Firmware Interface) – The Secure Boot feature is a standard part of the UEFI architecture. The UEFI defines the next generation firmware interface which has taken over the functions traditionally performed by the Basic Input and Output System (BIOS). A major security concern with older hardware running a conventional BIOS is that the pre-operating system environment may be vulnerable to attacks by redirecting the bootloader handoff to possible malicious loaders. This could potentially allow access to critical system resources and allow the creation of backdoors into your system as well. The possibility also exists that these loaders may remain undetected to operating system security measures and antimalware software as well.
Enabling UEFI Secure Boot addresses this vulnerability with the system, using policy present in firmware along with certificates, confirming that only properly signed and authenticated components are allowed to execute. The system will now boot using only an OS loader that’s signed using a certificate stored in the UEFI firmware. This permits the firmware to validate the certificate as part of its security policy.
- Early Launch Antimalware (ELAM) – Provides the capability for anti-malware software that’s compatible with the advanced security features in Windows 10 to be certified and signed by Microsoft. The default anti-malware software that is included with Windows 10, Windows Defender, supports this feature but it does allow your organization to replace it with a third-party solution if you should choose to do so. These signed drivers are loaded before any other third-party drivers or applications, allowing the anti-malware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
- Measured Boot This feature, which requires the presence of a TPM on a device running Windows 10, takes measurements of the UEFI firmware and each of the Windows and anti-malware components as they load during the boot process. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. During each subsequent boot, the same components are measured, allowing the current values to be compared with those in the TPM.
- Trusted Boot - This feature verifies that all Windows boot components have integrity and can be trusted. The bootloader verifies the digital signature of the kernel before loading it and the kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. As the system boots, Windows 10 detects if any of the OS elements have been tampered with and automatically restores the unmodified versions.
This article briefly discussed at a high level the basics that occur during the windows 10 Boot process that works together to protect the integrity of the system. For those wishing to dive deeper into the weeds, I suggest the Microsoft white paper “Secure Boot and Measured Boot: Hardening Early Boot Components Against Malware”.Please visit my blog at https://mikesship.blogspot.com/