Securing the Windows 8 Boot Process
The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Windows Store apps must meet a series of requirements to be certified and included in the Windows Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Windows Store. Even if a malicious app does get through, the Windows 8 operating system includes a series of security features that can mitigate the impact. For instance, Windows Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
The Threat: Rootkits
Rootkits are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
Windows 8 supports four features to help prevent rootkits and bootkits from loading during the startup process:
Figure 1 shows the Windows 8 startup process.
Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage
When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit.
All x86-based Certified For Windows 8 PCs must meet several requirements related to Secure Boot:
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a noncertified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, Protecting the pre-OS environment with UEFI.
Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 8 kernel before loading it. The Windows 8 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 8 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
Early Launch Antimalware
Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional antimalware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise antimalware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.
Figure 2. Measured Boot proves the PC’s health to a remote server
Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 8, these features have the potential to eliminate kernel-level malware from your network. This is the most groundbreaking antimalware solution that Windows has ever had: It’s leaps and bounds ahead of everything else. With Windows 8, you can truly trust the integrity of your operating system.