Partner of:
At the time of writing, the holiday season is coming to a close and the new year is just around the corner. For the days between Christmas and New Years, its become tradition for me to try and sort through all of my items to find what I really use and need, and get rid of things I haven’t touched in the last year. With all of the commercials and incentives to get more things, it only makes sense to me to try and maximize the value of what I currently have before going out to buy something new. Uncoincidentally, I approach my cybersecurity from this perspective too. While fancy new tools are shiny and exciting, there is some real security value sitting potentially untapped on millions of devices, waiting to be unlocked with the simple click of a couple buttons on your device. In this year-end post, we will go over device specific settings found in the BIOS that could be included and waiting to be turned on for your devices. As an added bonus, we will make a buyer’s guide if you are looking for new devices in order to maximize their longevity and ensuring they have the features mentioned.
.jpg)
Before we dig too deep into the usefulness of the settings included with devices, lets step back for a quick crash course on what really comes with your device and how to maximize your potential. Let’s say you go out to BestBuy and purchase a new laptop. Included in that is obviously your hardware; that is what you can touch, such as the screen and keyboard. What few people consider are the software and firmware items that are included with their devices. For our software, we recommend devices with Windows 11, but did you know there are different versions? Primarily, Windows Home and Windows Professional are the two available. If we are a personal user, we can get away with home as we may not need as robust security, but if we are a business looking to up our security game, we will find many valuable features included in the Windows Professional version. If you are a business owner and care not about the nitty-gritty security but just want to know how to maximize your security possibilities, skip down to the What You Need to Know and Buyers Guide for Business Owners sections.
We now understand the software, but what about firmware? For simplicity’s sake, I am going to combine the hardware components used to make specific firmware capabilities into just firmware. A key thing to understand here is that generally speaking, your software can be upgraded but your firmware cannot. If you have Windows 11 Home, you can upgrade to Windows 11 Professional for $100. But firmware? There’s not an easy path to move forward without replacing the device. Our firmware is built on something called the BIOS, which stands for Basic Input Output System. BIOS probably sounds like an abstract term, and that’s because it is. Just know that depending on your firmware, or as we learned our BIOS, you will have different security features at your disposal. Of these features, common ones include TPM, UEFI, Virtualization Support, Secure Boot, and UEFI Lock. There are multiple security features included in Windows, especially the Professional variant, that rely on these firmware capabilities to work properly. In the next sections, we will list different capabilities are recognized in Windows 10/11 Professional, and which firmware functionality is required to enable them.
The features below must be enabled in Windows after the prerequisites have been enabled in the BIOS. These features mentioned below are available in Windows 10/11 Professional.
Many types of attacks are effective because when they execute, they have access to the full gamut of the operating system. However, if you remove this capability and isolate the critical operating system parts to a virtual machine, you can start to mitigate these kinds of threats. Virtualization based security largely supports features such as Code Integrity and Credential Guard. Firmware requirements for virtualization-based security include:
· Intel VT-D or AMD-V
· Secure Boot
· TPM 2.0
· UEFI
When you load into Windows, you are opening files and running drivers based on what is installed on your hard drive. If a malicious actor was to in some way alter these files, they could cause your computer to load malicious drivers or Windows files. When you enable Code Integrity, these critical files will be checked for corruption or evidence of tampering. One example of this would be preventing a program from inserting malicious code into a trusted process, which would in turn allow it to run as if it was a trusted application. Firmware requirements for Code Integrity include:
· Secure Boot
· UEFI
If you have ever noticed when you try to run an administrative action that a prompt comes up, this is called a UAC prompt. When accepted, these prompts pass Windows administration credentials into the kernel and allow the requesting application to run as them. The issue is, these credentials may then be stored in memory. If a tool such as Mimi Katz is run and dumps the contents of memory, the attacker will be able to view admin usernames and passwords if recently used on the system. With Credential Guard, a temporary virtual machine is spun up to perform the privilege action prompt, and in turn the credentials are not available to be sniffed from memory. Firmware requirements for Credential Guard include:
· Virtualization Based Security
· Secure Boot
· TPM
As you save items to the device, they must be stored to a hard disk or solid state drive. If you take the drive out of a computer, you can easily plug it into another computer and view the contents of the drive including any and all documents. A way to prevent this is to encrypt the contents of the drive, which requires the person accessing the data to enter a password to view the files. BitLocker is Windows answer to encrypting a drive and preventing unauthorized access to drive data. Firmware requirements for BitLocker Include:
· UEFI
· TPM 1.2+
The firmware capabilities below are made possible by a combination of firmware and hardware capabilities built into the computer. While some items such as Secure Boot and UEFI Lock function in their own regard, the other items serve as building blocks for features within Windows.
Similar in function to Code Integrity, when you load into Windows there are paths that are to followed to get to trusted files. Secure Boot creates a verification mechanism between the trusted paths, only allowing the trusted paths to be executed on. Without Secure Boot enabled, a bad actor could try to redirect the Windows boot path to a malicious Windows boot file and cause you to unknowingly boot into an untrusted Windows system.
When there are applications that use cryptography to store keys– namely BitLocker and Windows Hello – a way to safely store these keys is needed. TPM accomplishes this, establishing a physical chip to store these keys securely on a physical hardware chip rather than just on the disk.
These terms simply refer to if a chipset – or processor – is capable of supporting modern virtualization. Virtualization can be used to run entire operating systems from the host operating system or to support security features like Credential Guard which cleverly uses it to protect credentials.
In the past, the firmware that runs to load the operating system was referred to as the BIOS. While we still use BIOS as the shorthand, in reality UEFI is the new way to interact with the computer’s firmware. The only key difference here is UEFI systems will support more security features and support modern operating systems which rely on UEFI features to work at faster speeds and with improved security as compared to those running legacy BIOS.
As a bonus, we are including UEFI lock. This enforces a password challenge to change firmware settings. For example, without UEFI lock, a bad actor can simply enter the keystrokes on startup to enter the UEFI firmware and change settings as they wish. With UEFI lock, a password must be entered in order to view or change these settings. Preventing the changing of these settings when physical access is available is not a requirement, but is certainly a good idea.
Whether you are a security practitioner or a business owner looking to take simple steps, you can enable all of these features as your hardware and firmware allow for free. Simply look up the keystroke required to boot into the BIOS of your computer, search for the firmware terms listed, and enable them. Then, enable the listed windows features as the requirements allow. Guides on how to enable these are readily available on the internet, so we will not go into each one.
If you are buying new computers and want to make sure you get the most from them, you can ensure that you are getting a capable machine by using the buying criterium below. When setting these new computers up, remember to ensure all the firmware and Windows items are enabled.
If you are a cybersecurity professional and want to make 100% sure you will be able utilize modern security firmware for your organization, check these specifications against what is listed in the specification sheet of the computer you are considering.
Not everyone can perform extensive research on devices before purchase, and luckily you don’t need to as long as you are minimally informed about the requirements. As a general rule, if you purchase a newer machine with the processor specifications below and a Windows Professional license included, the fancy firmware features mentioned throughout this post will be available. (Remembering they may still need to be enabled of course.)
It can be easy to focus on what software tools you can buy to improve your security, but the hugely overlooked consideration that goes into buying capable hardware can be a turning point in achieving your organizations security goals. By putting firmware into your consideration, and enabling it when possible on existing systems, you can net some comprehensive security benefits at no additional cost besides the time to enable them.
Copyright © 2022 Security Connections. All rights reserved.
