Dell recommends Windows 8.

Prepping for Secure Boot in Windows 8

Sara Peters, Editor in Chief | 12/20/2012 | 17 comments

Sara Peters
A rootkit is a right nasty piece of malware. You'd be wise to do whatever you can to keep rootkits out of your IT ecosystem.

Secure Boot, a security feature included in both Windows 8 and Windows Server 2012, can do an admirable job of finding, containing, and eliminating rootkits... but only if you keep it enabled. Unfortunately, there are a few reasons you might be tempted to disable it.

During the boot process, Secure Boot will scan your machine for any kernel-mode drivers. If those drivers have not been signed by a trusted certificate authority, then the operating system will simply not allow those drivers to run. This is excellent news if one of those unsigned drivers is actually a rootkit -- a particularly invasive type of malware that gives the attacker root access to your machine, thereby allowing them to do pretty much anything they want.

A rootkit might infect your machine via a common attack vector, such as a phishing message, nestling itself into your kernel without your having a clue. Or, it might come in the back end, being directly loaded onto the machine by a sinister individual who has physical access to the hardware. Regardless of how it makes its way onto the system, Secure Boot will stop that rootkit in its tracks during the boot process (assuming the rootkit hasn't falsely obtained a valid certificate, that is).

Window 8 and Windows Server 2012 Certficates
If you want one of your perfectly legitimate kernel-mode drivers to load, but that driver hasn't yet obtained Windows 8 or Windows Server 2012 certification, then I'm afraid you're out of luck. Secure Boot is like a bouncer at a bar -- if you don't have the right credentials, you're not getting in, no matter who vouches for you or how much gray hair you have to prove you're above drinking age.

One of the complaints against Secure Boot from the Linux user community is that it prevents a user from booting up Linux on a Windows 8 machine. The Linux Foundation has been waiting for Microsoft to hand over a validly signed pre-boot loader -- which would tell Windows 8 that it's safe to load up Linux. In the meantime, the Linux community developed a workaround, but it's a very clunky process.

Sure, you can disable Secure Boot. But you'd be missing out on a great security mechanism that:

  • Works on both clients and servers;
  • Protects the exceptionally valuable core of all of your hardware; and
  • Protects that core from untrusted or malicious applications that could be introduced not only from a remote attacker but from an attacker with direct physical access to the machine.

These features give Secure Boot the potential to be pretty special.

So, instead of disabling Secure Boot altogether, it's worth spending some time taking a close look at all your drivers before you decide to make the jump from one operating system to another. Identify all the drivers that access the kernel, and check to see if they've been signed by a trusted certificate authority. If the answer is no, then you might want to hold off on a migration until the answer is yes.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 2   >   >>
Randomus   Prepping for Secure Boot in Windows 8   12/31/2012 7:22:22 PM
Re: Secure Boot
Batye: Yup, it all comes down to money and how clever the attorney is ... definitely doesn't hurt if you have a shark working in your favor and not against.
batye   Prepping for Secure Boot in Windows 8   12/30/2012 12:30:31 AM
Re: Secure Boot
yes, but I hope we will see changes in the law...
anthony.nima   Prepping for Secure Boot in Windows 8   12/30/2012 12:21:21 AM
Re: Secure Boot
Yes everything depends on how much money you can throw at Bayte.
batye   Prepping for Secure Boot in Windows 8   12/26/2012 2:21:11 AM
Re: Secure Boot
trust me from my exp. as security office - normaly wrong people who could not afford the good legal rep end up in jail... and pros walk away...
Tuscany   Prepping for Secure Boot in Windows 8   12/26/2012 2:17:42 AM
Re: Secure Boot
@ bathe I agree, but I always worry about the innocent kid who is mistaken for a malicious hacker.  I know we need harsher laws, I just hope the wrong people don't go to jail.
Trek   Prepping for Secure Boot in Windows 8   12/26/2012 12:37:25 AM
Re: Secure Boot
@ Tuscany  -  I have run several scans during boot up and it only took a few moments.  Also, it's something that it done once a month vs. everyday. 
batye   Prepping for Secure Boot in Windows 8   12/25/2012 9:37:19 PM
Re: Secure Boot
the problem for example in Canada we have liberal laws 

and to trully deal with hacking - we need more harsh laws/penalties...
Tuscany   Prepping for Secure Boot in Windows 8   12/25/2012 9:08:40 PM
Re: Secure Boot
@batye  Agreed.  With hacking going on constantly, security cannot help but morphed in it's appearance and techniques.
Tuscany   Prepping for Secure Boot in Windows 8   12/25/2012 9:06:49 PM
Re: Secure Boot
@Trek   I was thinking of those rare but very lethal " memory load based" root kit attacks, those that get loaded into memory from the start.  The only way I am aware of thwarting this kind of threat is to have something scanning at initial boot, which has to slow the boot process some.  

 

Maybe I am misunderstanding root kit attacks though I am certain they come in various forms and sizes.
batye   Prepping for Secure Boot in Windows 8   12/24/2012 10:23:28 PM
Re: Secure Boot
yes, some Co. do setup closed systems in the secure room... with out any outside access...
Page 1 / 2   >   >>


The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Sara Peters
Sara Peters   8/17/2012   28 comments
Are you in the middle of migrating to Windows 7 and now wondering, fretting, or grumbling about whether you should even bother with 7 and instead go straight to 8? Don't despair. Microsoft ...
Sara Peters   7/26/2012   4 comments
Microsoft announced that users of Windows XP, Vista, or 7 will have an opportunity to purchase an upgrade to Windows 8 Pro for a mere $39.99. This price is only available if you buy from ...
Days
Hours
Minutes
Seconds
Dell Information Resources
SPONSORED BY DELL
VIDEOS
WINDOWS CLIENT
WINDOWS SERVER
On-demand Video with Chat
The culture of work is changing. Tech-savvy and always-connected people want faster, more intuitive technology, uninterrupted services, and freedom to work anywhere, anytime, on a variety of devices.
Latest Archived Broadcast
Bring-Your-Own-Device (BYOD) is about more than just a device.
© 2014 UBM TechWeb - Privacy Policy