Security and privacy in Windows 10

Securing hardware

The first layer of protection for a Windows 10 device is the hardware itself. Key security features in Windows 10 (originally introduced in Windows 8.1) take advantage of modern hardware designs. Although you can install and run Windows 10 on older hardware, you’ll get best results when these two capabilities are present:

Unified Extensible Firmware Interface (UEFI)

After 30 years, the PC BIOS has finally been retired. Its replacement is UEFI, a firmware interface that takes over the functions traditionally performed by the BIOS. UEFI plays a critical role in security with Windows 10, offering the Secure Boot capability and support for self-encrypted drives, for example. (I’ll say more about both of those features later in this chapter.) UEFI has been a requirement for original equipment manufacturers (OEMs) to certify a system or hardware device for Windows 8 or later under the Windows Hardware Certification Program (formerly known as the Windows Logo program).

Trusted Platform Module (TPM)

A TPM is a hardware chip that supports high-grade encryption and prevents tampering with or unauthorized export of certificates and encryption keys. The TPM might be implemented as a standalone microcontroller or included as part of another component, such as a network module or a system on chip (SoC) integrated circuit. The TPM performs cryptographic operations and stores keys for BitLocker volumes and virtual smartcards. A TPM can also digitally sign data, using a private key that software can’t access. The presence of a TPM enables several key features in Windows 10, including BitLocker drive encryption, Measured Boot, and Device Guard.

Securing the boot process

The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the system early and prevent antimalware software from doing its job. This type of malicious code is often called a rootkit (or bootkit). The best way to avoid having to deal with it is to secure the boot process so that it’s protected from the very start.

Secure Boot

The most basic protection is the Secure Boot feature, which is a standard part of the UEFI architecture. (It’s defined in Chapter 27 of the UEFI 2.3.1 specification.) On a PC with a conventional BIOS, anyone who can take control of the boot process can boot using an alternative OS loader, potentially gaining access to system resources. When Secure Boot is enabled, you can boot only by using an OS loader that’s signed using a certificate stored in the UEFI firmware. Naturally, the Microsoft certificate used to digitally sign the Windows 8.1 and Windows 10 OS loaders are in that store, allowing the UEFI firmware to validate the certificate as part of its security policy. This feature must be enabled by default on all devices that are certified for Windows 8.1 or Windows 10 under the Windows Hardware Certification Program.

Early Launch Antimalware (ELAM)

Antimalware software that’s compatible with the advanced security features in Windows 8 and later versions can be certified and signed by Microsoft. Windows Defender, the antimalware software that is included with Windows 10, supports this feature; it can be replaced with a third-party solution if that’s what your organization prefers. These signed drivers are loaded before any other third-party drivers or applications, allowing the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.

Trusted Boot

This feature verifies that all Windows boot components have integrity and can be trusted. The bootloader verifies the digital signature of the kernel before loading it. The kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component.

Measured Boot

This feature, which requires the presence of a TPM on a device running Windows 8.1 or Windows 10, takes measurements of the UEFI firmware and each of the Windows and antimalware components as they load during the boot process. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. During each subsequent boot, the same components are measured, allowing the current values to be compared with those in the TPM.