CompTIA Security+ (SY0-601) — Question 208

A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?

Answer options

• A. Measured boot
• B. Boot attestation
• C. UEFI
• D. EDR

Correct answer: A

Explanation

Measured boot is the correct choice because it ensures that each component of the boot process is verified and can help detect unauthorized changes, such as a rootkit. Boot attestation, while useful, does not directly prevent the installation of malicious software. UEFI is a firmware interface that does not inherently provide the protection needed against rootkits, and EDR focuses more on endpoint detection rather than boot integrity.