KBTAG: kben10000001
URL: http://www.securityportal.com/lskb/10000000/kben10000001.html
Date created: 20/07/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: BIOS security
Keywords: Hardware/BIOS, Hardware/Serial,
Hardware/USB, Console
Most modern computer BIOS's have a variety of options that can be used to secure access to the machine console and other local types of access, as well as some types of remote access. You can usually set a password(s) to control access to the BIOS itself, the use of removable media for booting, and so on. Using these controls properly can significantly enhance security.
Enter your BIOS, usually by hitting the "delete", "F2", "F10" or a similar key while the computer is booting (there will usually be a message at the bottom of the screen). From here you will see options like "Security" and "Boot". The security section will usually let you enable a "Supervisor" and a "User" password. The "Supervisor" password typically controls access to the BIOS, and the "User" password lets you specify things like the need to enter a password to power on the machine, or boot from removable media. These options will of course vary between BIOS's so please read your computer manual, or the built-in help that most BIOS's have. Additionally some laptop BIOS's have additional features such as a power on password, and a harddrive password.
For servers you might consider disabling "unattended startup" (that is set it so that a password is required to reboot), this prevents an attacker from making low level changes (such as installing a new kernel) and rebooting the machine (and resetting all the logs/etc.). You should also disable the floppy disk drive, and set the computer to only boot from an internal harddisk (booting from an external array can result in an attacker swapping some cables and booting from a portable SCSI Jaz drive).
Setting the "Supervisor" password is a good idea, as it prevent users from fiddling around in their computer's BIOS and potentially breaking settings, or enabling things that should not be enabled. Keep in mind however that a user can more then likely retrieve passwords and settings from their BIOS, using software that typically requires full access to the computer (a given under Windows 95, 98, not so easy under Linux or NT).
Another technique to prevent problems is to disable all the serial ports, most modern workstations do not need serial ports (Ethernet, PS/2 keyboard and PS/2 mouse, USB, etc.), and allowing the serial port only increases the chance a user might hook up an external modem quickly and install something like PC Anywhere so they can quickly access their machine from home. If you do not need the parallel port (considering most people use network printers nowadays), you should also consider disabling it, as many removable storage devices (such as Zip drives, portable CD burners, etc.) use it, this will prevent the ease of copying mass quantities of data off the machine and taking it out of the office.
Newer BIOS's like the one on Intel 810 motherboards can be set to disable the keyboard until the "User" password is types in, this is a useful feature for servers. You should also disable "Scan User Flash Area" as chances are you will not use it, and an attacker could use it to load malicious code on the next reboot.
http://www.esiea.fr/public_html/Christophe.GRENIER/ - Software to retrieve BIOS passwords
http://www.securityparadigm.com/defaultpw.htm - List of default passwords including computer BIOS passwords
Most BIOS's have built in help explaining the various options and functions, as well most manufacturer sites have online documentation.
There is also a huge list of default passwords at: http://www.securityparadigm.com/defaultpw.htm