This is always a tough topic of discussion, because often IT’s policies around updating BIOS or converting from BIOS to UEFI are driven by decision-makers outside of the department, or worse: decision makers within the department who are oblivious to the security implications of staying on an outdated version of an outdated technology.
Unified Extensible Firmware Interface (UEFI) isn’t a new technology, it has been around for many years. On the other hand, attacks at the BIOS level have not only happened this century, but this decade. Rootkits that try to alter boot process are still in the wild, and anybody on an outdated and legacy technology are at a huge risk.
UEFI (pronounced by saying each letter U-E-F-I) is actually so much more than legacy code stored on a chip on a PC’s motherboard. It is in fact a pseudo operating system. This means that you could technically interact with the filesystem and backup your hard drive. UEFI also has mouse and graphics support.
In a legacy world, a BIOS PC would boot and perform Power On Self Test (POST) or put another way, the PC powers on and the BIOS wakes up all the hardware and makes sure it is running ok. You could interrupt the boot (as you can with UEFI) and enter the settings menu to enable/disable/reconfigure settings. The problem is that in this legacy world, there is little protection available to make sure it’s not the bad guys who are altering settings such as booting from a rootkit, etc. Aside from being outdated and not secure, BIOS has many other limitations. Check out this table of limitations:
- Can only boot from drives smaller than 2.1 TB
- Must run in 16-bit processor mode
- Only has 1 MB of space to execute in
- Can’t multi-task with multiple hardware devices
- Slow boot times
- Provides little security to protect the OS
- Is unaware of filesystems and the Operating System
- Text-based menu
Capabilities of UEFI
- Faster boot and shutdown times
- Can use drives over 2.2 TB in size
- Can run in 32/64-bit processor mode
- More addressable space
- Setup menus are modern with mouse and graphics support
- Supports light-weight networking features
- Enables several Windows 10 security features
- Secure Boot: Protects the Windows 10 pre-startup process against bootkit and rootkit attacks. It ensures no malicious operating system can start before Windows.
- Early Launch Anti-malware (ELAM) driver. Loaded by Secure boot, this driver starts before other non-Microsoft drivers to evaluate them. It is technically possible to use ELAM without UEFI however you will miss other benefits.
- Windows Trusted Boot: Protects the kernel and privileged drivers during early launch. Note: MS15-111 security update released on October 13, 2015 fixes a security issue with this feature.
- Measured Boot: Measures components all the way from firmware up through the boot start drivers, and then stores those measurements in the TPM chip on the machine. This info is stored in a log and can be tested remotely to verify the boot state of the client.
- Device Guard: Uses CPU virtualization and TPM support to support Device Guard with AppLocker, and Device Guard with Credential Guard.
- Credential Guard: Uses CPU virtualization and TPM support, but to protect security info like NTLM hashes etc.
- BitLocker Network Unlock: Automatically unlocks Windows 10 at reboot when connected to a wired corporate network. This bypasses the need to enter a PIN.
- GUID Partition Table (GPT) disk partitioning. Enables larger boot disks to allow Enterprises to use modern hardware.
The Secure 10 is a free community solution for automated BIOS->UEFI conversions using ConfigMgr, and requires no third-party software.
https://insights.adaptiva.com/2017/need ... ign=buffer