Exam SY0-601 topic 1 question 323 discussion

"Measured Boot is a new feature of Windows 8 that was created to help better protect your machine from rootkits and other malware. Measured Boot will check each start up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM)." https://www.microcenter.com/tech_center/article/8862/what-is-measured-boot

CHat GPT says EDR is typically used to detect and respond to threats after they have already bypassed other security measures. It is a reactive measure, rather than a preventative one. In this scenario, it would be better to prevent the rootkit from being installed in the first place, rather than relying on EDR to detect and respond to the threat after the fact. Measured boot, on the other hand, is a preventative measure that ensures the system starts with a known good state and can block the boot process or alert the security team if any changes are detected. Therefore, Measured boot is the BEST option for protecting the kiosk computer from the installation of a rootkit via removable media.

Mensured Boot is a new tool from Windows 8, it is created to protect your machine for rootkits, EDR Endpoint Detection and Response is an advanced tool that monitors the red and prevent APT But in this specif question the answered is measured boot

UEFI, especially when combined with Secure Boot, provides a robust defense against rootkits. Secure Boot is a feature of UEFI that ensures only signed and trusted operating system bootloaders and drivers can be loaded during the boot process. This helps prevent unauthorized code, such as rootkits, from being loaded, even if someone tries to install them via removable media.

Measured boot will check startup components including firmware/boot drivers and only allow approved versions.

Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS). UEFI is expected to eventually replace basic input/output system (BIOS) but is compatible with it.

Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS). UEFI is expected to eventually replace basic input/output system (BIOS) but is compatible with it.

Measured boot is typically for hardware and driver checking. I don't see it helping prevent a rootkit. Boot attestation, on the other hand, confirms the OS has not been tampered with. That said, B would be the most prudent choice, IMO. The problem with EDR is that it loads AFTER the OS and can't detect if a rootkit was installed or not (if a zero-day, you're screwed). If you configure your boot process, you can prevent a bootable USB from ever running in the first place. (you can disable all the USB ports as well, in UEFI, but then you can't use them and the kiosk may need it - depending on what the kiosk's function is)

Many organizations implement boot integrity processes. These processes verify the integrity of the operating system and boot loading systems. For example, it can verify that key operating system files haven’t been changed. A measured boot goes through enough of the boot process to perform these checks without allowing a user to interact with the system. If it detects that the system has lost integrity and can no longer be trusted, the system won’t boot.

Measured Boot is intended to prevent boot-level malware. unlike secure boot, measured boot does't validate against a known good list of signatures before booting. instead it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process. then the data gathered is stored in the TPM. This boot attestation process allows comparison against known good states and admins can take action if the measured boot shows a difference from the accepted or secure known state.

Since the question says, the OS has been "hardened and tested" I know that the OS has already been installed and Secure boot must be enabled before the installation of an OS. (Even though most computers these days have UEFI Secure boot enabled by default) A, B, and C are are processes or provided by UEFI Secure boot Even if I do not assume, UEFI secure boot is enabled by default, the question asks what should be "CONFIGURED?" UEFI secure boot is enabled (not configured) and the main concern is removable media installing rootkits. D. EDR (makes the most sense to configure endpoint detection for removable media on the kiosk)

I go with answer A: According to CompTIA sec+ Study Guide, Secure Boot or Measured Boot is a feature of Unified Extensible Firmware Interface(UEFI) that ensures that code that ius executed during boot process has been authenticated b y a cryptographic signature. Secure Boot prevents malicious code from running at boot time, thus providing assurance that the system is executing only the code that is legitimate. This provides a measure of protection against rootkits and other malicious code that is designed to run at boot time.

The best answer is A. Measured boot. Measured boot is a security feature that helps to protect systems from rootkits and other malware. It works by creating a cryptographic hash of all critical system components during the boot process. This hash is then stored in a trusted platform module (TPM). If any changes are detected to the critical system components, the boot process is halted and the user is alerted.

I'm over this exam. A,B,& C could all be right. But it's their game and we must bow before them.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process

Very confusing, but I believe since it talks about configuring, the UEFI provides options to configure. The rest are described as processes. https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/boot-integrity/

what a stupid question According to the official cert guide "The second security feature intended to help prevent boot-level malware is measured boot. These boot processes measure each component, starting with the firmware and ending with the boot start drivers. Measured boot does not validate against a known good list of signatures before booting; instead, it relies on the UEFI firmware to hash the firmware, bootloader, drivers, and anything else that is part of the boot process" That seems to suggest option A is a part of option C. But it doesn't end there, it goes on to say "The data gathered is stored in the Trusted Platform Module (TPM), and the logs can be validated remotely to let security administrators know the boot state of the system. This boot attestation process allows comparison against known good states, and administrators can take action if the measured boot shows a difference from the accepted or secure known state" So that then says measured boot is a uefi drive boot attestation process so take your pick from A, B or C!