A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection?
D
Reference:
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-898217D4-689D-4EB5-866C-888353FE241C.html
was leaning to TPM but this CompTIA explanation Setting a BIOS/UEFI password to prevent access that could lead to a boot to an external operating system Using open case alerts that can warn you when the case of the system is opened
TPM is a hardware-based security feature that can store cryptographic keys and perform security-related functions. While TPM can be used in conjunction with UEFI to enhance security, TPM alone does not directly protect the boot loader.
I was going to choose D, except BIOS does not have a secure boot feature only UFEI does. Therefore I choose A - TPM
I think a TPM (measured boot) is the best boot loader protection, but I think for this question, the answer is D. UEFI/BIOS because of the keyword "Secure" for Secure boot
D is correct. https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-898217D4-689D-4EB5-866C-888353FE241C.html
This question doesn't ask how to switch the firmware of VM with PowerCLI. The provided answer is far off.
I also had a good laugh.
UEFI/BIOS would provide the BEST boot loader protection. The Unified Extensible Firmware Interface (UEFI) or Basic Input/Output System (BIOS) is responsible for booting the operating system and loading it into memory. By securing the boot loader with a password and enabling secure boot, the administrator can prevent unauthorized modifications to the boot loader and the operating system. This can help protect against malware attacks and unauthorized access to the system. TPM (Trusted Platform Module) and HSM (Hardware Security Module) are hardware security devices that can also provide boot loader protection, but they may be more expensive and complex to implement. PKI (Public Key Infrastructure) is a framework for managing digital certificates, which may be used for authentication and encryption, but it is not directly related to boot loader protection.
Nowhere does it talk about a budget or the complexity to implement. I don't know about the best, but the most secure would be TPM.
Wow. Just wow.
A. TPM (Trusted Platform Module) would provide the BEST boot loader protection. A TPM is a hardware component that provides secure storage and cryptographic operations. It can ensure that the boot loader and operating system have not been tampered with before allowing them to load. This can help prevent malware and other malicious code from being loaded onto the system. B. HSM (Hardware Security Module) is a hardware device that can provide secure storage and cryptographic operations, but it is typically used for protecting keys and other sensitive data rather than boot loader protection. C. PKI (Public Key Infrastructure) is a system for managing digital certificates and public key encryption. While it can be used for secure booting, it would typically be used in conjunction with other technologies such as a TPM. D. UEFI/BIOS (Unified Extensible Firmware Interface/Basic Input/Output System) are firmware interfaces that control the boot process of a computer. While they can be configured to provide some level of boot loader protection, they are not as secure as a TPM.
UEFI (Unified Extensible Firmware Interface) and BIOS (Basic Input/Output System) are firmware interfaces for booting the operating system. UEFI, in particular, provides several security features such as Secure Boot, which ensures that only signed and trusted boot loaders and OS kernels are loaded during the boot process. This prevents unauthorized code from running before the operating system is fully loaded.
I was come with A, but after few research I just noticed that the TPM is the place to storing the cryptographic key securely, TPM itself doesn't provide the secure boot, that job belong to UEFI/BIOS. Yes the combination between secure boot feature and TPM is quite nice, but in fact, secure boot still belong to UEFI/BIOS, not TPM.
should it be TPM based on Question 191 ?
aaaaaaaaaaaaaa
UEFI secure boot features rely on TPM. https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process
UEFI/BIOS Start of Secure Boot Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
BIOS doesn't allow Secure Boot
The best option for providing boot loader protection would be A. TPM (Trusted Platform Module). TPM is a hardware-based security feature that provides a secure storage area for cryptographic keys and ensures the integrity of the boot process. It can be used to verify the integrity of the boot loader, which is responsible for loading the operating system, and prevent unauthorized modifications or malware from being loaded at boot time.