- Smart Intel Briefing
- Posts
- STIG V-253256 - UEFI Mode - Windows 11
STIG V-253256 - UEFI Mode - Windows 11
KD Sec-n-Tech Secure Your Computer
Introduction:
Hello and Welcome!
We're thrilled to have you join us on this journey towards greater cybersecurity awareness and implementation. Our bi-weekly newsletter is designed to keep you up-to-date with the latest in Security Technical Implementation Guides (STIGs) and general security best practices.
Whether you're a seasoned professional in the cybersecurity field or someone who's simply interested in improving your security posture, our goal is to make this information accessible and valuable to you.
In each issue, we'll delve into specific STIGs, discuss why they're important, and explain how vulnerabilities could be exploited if left unaddressed. We'll also provide detailed implementation guidance, and even PowerShell scripts for those comfortable with a bit of scripting.
Remember, security is not a one-time task, but an ongoing endeavor. We're here to support you every step of the way. We encourage you to reach out with any questions, comments, or suggestions you may have – your feedback is what makes our community stronger.
So, sit back, grab your favorite beverage, and let's dive into this issue's STIGs!
Summary:
Security Technical Implementation Guide (STIG) V-253256 lays down the requirement that Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
Importance:
UEFI provides additional security features compared to the legacy BIOS firmware, including Secure Boot. UEFI is necessary to support additional security features in Windows 11, such as virtualization-based Security and Credential Guard. Systems with UEFI that operate in Legacy BIOS mode will not support these security features.
Exploitation:
If UEFI is not enabled, the system will not benefit from the added security features that UEFI provides. This could leave the system more vulnerable to exploitation through various attack vectors, including those that Secure Boot is designed to protect against.
Checking for Compliance:
Run "System Information". Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a finding. For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is Not Applicable (NA).
Remediation:
Configure the UEFI firmware to run in UEFI mode, not Legacy BIOS mode.
PowerShell Script:
# Set the vulnerability number
$vulnNumber = "V-253256"
# Set the Working Directory
$WorkingDirectory = "C:\Add\The\Directory\Here"
# Set the file path
$filePath = "$($WorkingDirectory)\$vulnNumber.txt"
# Create or clear the status file
$existingStatusFile = Test-Path $filePath
if (-not $existingStatusFile) {
New-Item -Path $filePath -ItemType File -Force -Confirm:$false
} else {
Clear-Content -Path $filePath
}
# Define the vulnerability details
$status = "Open"
$findingDetails = "Windows 11 systems do not have Unified Extensible Firmware Interface (UEFI) firmware and are not configured to run in UEFI mode."
$comments = "Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode."
# Check the system firmware type
$firmwareType = (Get-ComputerInfo).BiosFirmwareType
if ($firmwareType -eq "UEFI") {
$status = "NotAFinding"
$findingDetails = "Windows 11 systems have Unified Extensible Firmware Interface (UEFI) firmware and are configured to run in UEFI mode."
}
# Write the variables to the status file
$status | Set-Content -Path $filePath
$findingDetails | Add-Content -Path $filePath
$comments | Add-Content -Path $filePath
# Write the variables to the screen
Write-Host "The status is as follows: $status"
Write-Host "The finding details are as follows: $findingDetails"
Write-Host "The finding details are as follows: $comments"
PowerShell Script Explanation:
This PowerShell script helps automate the process of checking the system's firmware type and documenting the results. Here’s what the script does step-by-step:
Sets the vulnerability number (V-253256).
Defines the working directory and file path for a text file where the status of the check will be stored.
Initializes the status file by creating it if it doesn't exist or clearing it if it does.
Defines initial values for the status, finding details, and comments.
Checks if the system firmware type is UEFI.
If the firmware is UEFI, updates the status and finding details to indicate compliance.
Writes the status, finding details, and comments to the status file and outputs them to the console.
Please ensure that you replace "C:\Add\The\Directory\Here" with the actual directory where you want to save the status file. Also, note that you need to run this script with administrative privileges as it queries the system information.
Remember that maintaining UEFI mode is crucial for leveraging the advanced security features offered by Windows 11, keeping your systems secure and compliant.
Note from the Author:
This is the second in our series of implementation guides for Defense Information Systems Agency (DISA) public Security Technical Implementation Guides (STIGs). As always, my goal is to help you in securing your systems with the right knowledge and tools. Stay tuned for more insights and scripts to automate your security compliance. Don't forget to mark your calendars; the next email will be sent on Monday.
Links:
DISA Cyber: https://public.cyber.mil/stigs/downloads/
Kingdom Dominion Security & Technology: https://www.kdsecntech.com/
Thank you for being a part of our cybersecurity community. Your participation and feedback are invaluable in making this initiative a success. Feel free to reach out with any questions or suggestions, and let's work together to build a more secure cyberspace.
Stay safe and secure!
Kingdom Dominion Security & Technology
Reply