A rootkit is a right nasty piece of malware. You'd be wise to do whatever you can to keep rootkits out of your IT ecosystem.
Secure Boot, a security feature included in both Windows 8 and Windows Server 2012, can do an admirable job of finding, containing, and eliminating rootkits... but only if you keep it enabled. Unfortunately, there are a few reasons you might be tempted to disable it.
During the boot process, Secure Boot will scan your machine for any kernel-mode drivers. If those drivers have not been signed by a trusted certificate authority, then the operating system will simply not allow those drivers to run. This is excellent news if one of those unsigned drivers is actually a rootkit -- a particularly invasive type of malware that gives the attacker root access to your machine, thereby allowing them to do pretty much anything they want.
A rootkit might infect your machine via a common attack vector, such as a phishing message, nestling itself into your kernel without your having a clue. Or, it might come in the back end, being directly loaded onto the machine by a sinister individual who has physical access to the hardware. Regardless of how it makes its way onto the system, Secure Boot will stop that rootkit in its tracks during the boot process (assuming the rootkit hasn't falsely obtained a valid certificate, that is).
Window 8 and Windows Server 2012 Certficates
If you want one of your perfectly legitimate kernel-mode drivers to load, but that driver hasn't yet obtained Windows 8 or Windows Server 2012 certification, then I'm afraid you're out of luck. Secure Boot is like a bouncer at a bar -- if you don't have the right credentials, you're not getting in, no matter who vouches for you or how much gray hair you have to prove you're above drinking age.
One of the complaints against Secure Boot from the Linux user community is that it prevents a user from booting up Linux on a Windows 8 machine. The Linux Foundation has been waiting for Microsoft to hand over a validly signed pre-boot loader -- which would tell Windows 8 that it's safe to load up Linux. In the meantime, the Linux community developed a workaround, but it's a very clunky process.
Sure, you can disable Secure Boot. But you'd be missing out on a great security mechanism that:
- Works on both clients and servers;
- Protects the exceptionally valuable core of all of your hardware; and
- Protects that core from untrusted or malicious applications that could be introduced not only from a remote attacker but from an attacker with direct physical access to the machine.
These features give Secure Boot the potential to be pretty special.
So, instead of disabling Secure Boot altogether, it's worth spending some time taking a close look at all your drivers before you decide to make the jump from one operating system to another. Identify all the drivers that access the kernel, and check to see if they've been signed by a trusted certificate authority. If the answer is no, then you might want to hold off on a migration until the answer is yes.