STIG V-253257 - Secure Boot - Windows 11

KD Sec-n-Tech

Introduction:

Hello again!

Welcome back to the newsletter focusing on Security Technical Implementation Guides (STIGs) for Windows 11. We’re excited to continue empowering you with the knowledge and tools to secure your systems effectively.

In this segment, we'll be exploring another critical aspect of securing Windows 11 systems: Secure Boot. Let's dive into the details!

Summary:

Security Technical Implementation Guide (STIG) V-253257 mandates that Secure Boot must be enabled on Windows 11 systems.

Importance:

Secure Boot is a standard that ensures systems boot only using trusted operating system software. This is crucial in preventing malicious software and unauthorized operating systems from loading during the system start-up process. Secure Boot is also essential for supporting additional security features in Windows 11, including virtualization-based security and Credential Guard.

Exploitation:

If Secure Boot is disabled, the system will not benefit from the added security that it provides, leaving it more susceptible to bootkits and other low-level malware. This could also compromise additional security features that rely on Secure Boot.

Checking for Compliance:

To verify if your system firmware is configured for Secure Boot, run "System Information". Under "System Summary", if "Secure Boot State" does not display "On", this is a finding. For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this check is Not Applicable (NA).

Remediation:

Enable Secure Boot in the system firmware settings.

PowerShell Script:

# Set the vulnerability number
$vulnNumber = "V-253257"

# Set the Working Directory
$WorkingDirectory = "C:\Add\The\Directory\Here"

# Set the file path
$filePath = "$($WorkingDirectory)\$vulnNumber.txt"

# Create or clear the status file
$existingStatusFile = Test-Path $filePath
if (-not $existingStatusFile) {
    New-Item -Path $filePath -ItemType File -Force -Confirm:$false
} else {
    Clear-Content -Path $filePath
}

# Define the vulnerability details
$status = "Open"
$findingDetails = "Secure Boot is not enabled on Windows 11 system(s)."
$comments = "Enable Secure Boot in the system firmware, as verified using the Confirm-SecureBootUEFI command."

# Check the Secure Boot status
$secureBootStatus = Confirm-SecureBootUEFI
if ($secureBootStatus) {
    $status = "NotAFinding"
    $findingDetails = "Secure Boot is enabled in the system firmware, as verified using the Confirm-SecureBootUEFI command."
    $comments = "Not a finding."
}

# Write the variables to the status file
$status         | Set-Content -Path $filePath
$findingDetails | Add-Content -Path $filePath
$comments       | Add-Content -Path $filePath

PowerShell Script Explanation:

This PowerShell script is designed to automate the process of checking the Secure Boot status and documenting the results. Here’s what the script does step-by-step:

  1. Sets the vulnerability number (V-253257).

  2. Defines the working directory and file path for a text file where the status of the check will be stored.

  3. Initializes the status file by creating it if it doesn't exist or clearing it if it does.

  4. Defines initial values for the status, finding details, and comments.

  5. Checks the Secure Boot status using the Confirm-SecureBootUEFI command.

  6. If Secure Boot is enabled, updates the status and finding details accordingly.

  7. Writes the status, finding details, and comments to the status file.

Please ensure that you replace "C:\Add\The\Directory\Here" with the actual directory where you want to save the status file. Also, note that you need to run this script with administrative privileges as it queries the Secure Boot status.

Closing Note:

Secure Boot is an essential security feature that helps to ensure that your systems boot using only software that is trusted by the Original Equipment Manufacturer (OEM). By enabling Secure Boot, you are adding an additional layer of security that is critical in protecting your systems from certain types of malware and unauthorized software.

This is the third in our series of implementation guides for Defense Information Systems Agency (DISA) public Security Technical Implementation Guides (STIGs). We will continue to share insights and scripts to automate your security compliance. The next newsletter will be sent on Monday, so don’t miss it!

Links:

Kingdom Dominion Security & Technology: https://www.kdsecntech.com/

Thank you for being a part of our cybersecurity community. Your commitment to securing your systems is invaluable. If you have any questions or suggestions, please don’t hesitate to reach out. Together, let's build a more secure cyberspace.

Stay safe and secure!

Kingdom Dominion Security & Technology

Reply

or to participate.