Processors

Lock down the BIOS to defend against rogue users

Mike Mullins tells you how to lock down the BIOS on company machines to prevent rogue users from wreaking havoc on the network.

While writing this column over the years, I've covered a lot of ground on defensive perimeters and setting up Defense in Depth tools to protect your local resources, and I've discussed the importance of mitigating physical risks. But what should you do to protect your systems once they've fallen into the wrong hands?

First, let's define who we're talking about when we say wrong hands. We'd all like to think of the enemy as a James Bond wannabe trying to steal data for queen and country (or money). But let's face it: The enemy is most likely the person two cubicles over who thinks he or she needs more permissions than you've granted.

These rogue users just want to test your organization's security for vulnerabilities or load a software program to make their workday more enjoyable. They're not really malicious, but they can cause plenty of disruption when their freeware program turns out to be a bot loader and enlists your company network to join the bot nation.

And that's what you need to remember: A lot of times, your biggest threats are already working for you -- and they often don't even have evil intentions. So how do you counteract the fact that they already have physical access to your machines and keep them from wreaking havoc?

The goal is to prevent users from booting from anything other than the hard drive. There are several tools that are bootable from CD-ROM and USB device that allow a user to change the administrator password or install files. And that's why you need to remove users' ability to use these tools.

To do so, you need to access the BIOS and lock it down. Keep in mind that there are a lot of different computer companies and several different major BIOS manufacturers.

What if you don't know how to access the BIOS for a machine? Search the Internet for "yourcomputertype BIOS setup key" (e.g., Dell 6000 BIOS setup key). You can also check out this Web site by Michael Stevens.

Because there are so many different variables, let's walk through the steps on the machine that I'm currently using: Dell Inspiron E1705. To lock down the BIOS, follow these steps:

1. On boot, press [F2] to access the BIOS setup.

2. Under System, select Boot Sequence.

3. Make sure the Internal HDD is the only device with a number beside it.

4. Press [Esc], and select Save.

5. Under Security, elect Admin Password.

6. Set an admin password. (This will prevent someone from changing boot options or changing the BIOS setup, but it won't interfere with normal operation.)

And that's it! Unless an authorized user has the BIOS admin password, he or she will be stuck booting up what your company provides -- and nothing else.

Some manufacturers bundle enterprise tools with their servers to manage BIOS options remotely, so you won't necessarily have to visit every machine in your company to roll out this internal security fix.

Final thoughts

Bootable admin password utilities and rootkits are out there, so it's vital that you make sure they can't operate on your network. You can prevent users from inadvertently putting your network at risk -- it just takes an extra step in your security strategy.

21 comments
MosAhm
MosAhm

I had this case and the user can just easily remove the battery and reset the bios to default and then, he will be able to change what ever he want?? are there any way to protect this, buy installing any S/W on the bios itself.

Forum Surfer
Forum Surfer

While this is almost as simple to bypass as it is to implement, it is still a neccessary step to tightening overall security. IT isn't foolproof or absolutely certain, but it does help.

dawgit
dawgit

But it can also start a lot of problems as well. Like never accessing that machine ever again, if the user dissapears from the picture for some reason. Or, someone thinks they need to access that computer, and locks it up forever. There must be an established policy that keeps the password hard copied somewhere safe. It's one strategy, but just one. Physical security is still the best over-all route. IMHO (and experence) -d

me19562
me19562

Locking the BIOS it's very important and should be part of the process of settings up every new computer in an organization. But, there is still one risk and is that a user could open the computer and reset the BIOS. So if it's really important for the organization to avoid any risk associate with an unlocked BIOS the computer case should be lock as well.

Selena Frye
Selena Frye

What do you consider to be your biggest internal security threats? Is locking down the BIOS standard operating procedure for your organization?

normhaga
normhaga

Save Bios kill to USB device; rename to *.txt; use word to save file to HD; rename to *.exe; execute. Bye-bye bios password. A passworded bios only keeps an honest user honest. There are too many ways around it, as several posts have indicated.

jjeter
jjeter

Using the F8 boot and the F12 boot are very good ways to defeat the BIOS lock. Linux based hacking tools render the BIOS lock a complete joke and a waste of time. Also, we must not forget that resident Trojan worm viruses and various forms of malicious code, can live in or hide within the EEPROM chip. Thus, it will reinfect the hard drive after vigorous efforts to remove the bug. I always flash and reprogram the BIOS, EVERY TIME I clean and remove evil bugs, from within the system's hard drives. If you don't, the bug will replicate and reinfect the hard drive from the BIOS itself, without a doubt!

optmystc1
optmystc1

Regarding: Your BIOS is MINE! Ha Ha, sorry for the attention-getting title. I am really a very nice person, but here's few worrisome facts about most BIOS routines: (1) BIOS passwords (at the supervisor or admin level) will stop most users, but not me! In most new BIOS routines, pressing or a some other specified key will bring up an alternate boot-priority menu, even if there is a BIOS password in effect. I have seen this on several Dell motherboards with Pentium 4 processors; most of the older machines do not have this "back door". So I can place Winternals or another Linux-based CD in the drive, and it will reset the Administrator's password in any Windows system, without knowing the old password. Admitedly, I do not know if it works on Vista - YET! (2) If I can open your PC, it is "mine". I merely remove the CMOS battery and reset the shunt (jumper), then replace both, and boot up, and there is NO PASSWORD on the BIOS. Plus, the default boot sequence is invariably CD first, followed by hard drive. So I have control. -- I agree with the basic outline of the BIOS article; but BIOS safety features are like locking your doors. Such a practice will only keep HONEST people out! P.S. Many BIOS routines offer the option of changing the language on the BIOS to German, Mandarin, etc. I set it to Mandarin and place a password on it. If a user stumbles into the BIOS, they will KNOW they are in the wrong place! (Then again, if they hail from China...) Take care, Lynn Erla Beegle Raleigh, NC

BALTHOR
BALTHOR

But on the Internet a hacker can enter your BIOS and change BIOS settings with a virus.The settings that a hacker might alter with a virus could be the Front Side Buss frequency and multiplier or the hard drive plug and play detect.Hackers don't need passwords.

gary-knight
gary-knight

In the main we do this here - set the boot device and password, however I have noticed that some manufactures - in their wisedom have allowed you to chose the boot device during the boot process. These can sometimes also include USB devices, this then makes life a lot harder to control - short of removing the power cable to them. Gary Knight MBCS MRI TMIET Millbrook Community School, Southampton, UK

The Scummy One
The Scummy One

do not allow a 'bypass' for these. You may need to replace the MB to get it working again. And in some cases the HDD holds part of the key, so even the HDD is useless if put in a different system.

The Scummy One
The Scummy One

while it is a deterrent for thieves (mainly NB) it does little to protect the data as removing the drive gives access (unless encrypted). For Orgs using 2k/XP then it is a good start to lock the BIOS, if someone snags it they likely need to buy a new MB. Encryption on anyones system that has confidential data is also a good start. Physical security is another good one, however end user training and responsibility just as important. A computer can be rebuilt/replaced, however, often the data cannot, or it may be too pricey. For these reasons good backups are needed. If a company does not provide backup SW for critical systems, it is asking for disaster. For security purposes all of these come into play to create a well guarded system. Make the system as hard to obtain data as possible for lost/stolen equipment. Put a power scheme for those that refuse to lock their system (OS) when they walk away, and make sure that everyone locks (physical) at their desk and while away. of course, even the most educated users will still miss some of these steps often enough, so they need to be reminded periodically as well.

ksprott1996
ksprott1996

Any chance I could enlist your help? I would appreciate it very much! Thank you! Kim Sprott ksprott1996@yahoo.com

ksprott1996
ksprott1996

I have a Dell D410 with BIOS Version A05. I have lost the administrator password for the BIOS and cannot change my boot sequence because of it! Do you think you could help me? Thanks much! Kim Sprott Scottsdale, AZ

gshollingsworth
gshollingsworth

I also saw the option to choose your boot device on many machines. Some still present the keypress choice to choose boot options even though only one is available such as the primary hard drive. Others do in fact override an administrator's security intentions. There is a wide variety of BIOS implementations. You will have to test each type you have. Don't forget that different version can behave differently. An older version may allow override, but a newer version enforces an administrator's intent.

dawgit
dawgit

It's a multi-facited solution, with tiers of security to ensure anything close to "Secure". And you're also right, it needs to be re-enforced regularly. I have at times, found myself careless as well. :0 It was those (now) older NBs that I was thinking of when I mentioned bye-bye for ever. They were good though, I kind of wish it was still that way. (There's still a lot in use BTW) With the disk encryption we have the same situation however. I can't understand how many times idiots don't do anything, and "loose" Data. X-( Shoot 'em. :0 :^0 -d

optmystc1
optmystc1

Sorry, Kim, that I did not get back to you. I did not see the posting. Ooops. I am sure you solved the problem by now,or given up.... I feel badly (as I should!) I did a little looking about and realized that you are probably talking about a laptop. Those are very difficult to reset, since the battery is buried deep inside the case. Try this web site: http://www.techspot.com/vb/topic83343.html I did a search on your computer model, plus the words BIOS and reset to find this link. Let me know; I hope to check here a little more often than every six months! -Thanks, Erla Beegle

Mike Mullins
Mike Mullins

Those are good points on how some BIOS will allow an override without a BIOS password. Which might lead to another checkbox on your approval form when it comes to purchasing new equipment. If you can't secure the BIOS and implement a hard drive only boot, then perhaps you need to look for a new vendor for your company computing needs.

Robbi_IA
Robbi_IA

My first thought on reading the original article had to do with reset mechanisms. Is there a way to keep the user from resetting the bios passwords? Or do we have to just be sure to plan our purchasing around systems that don't have a reset mechanism?

RandalBarnes
RandalBarnes

Some PCs (eg the Dell Latitude D610) let you choose which devices are available in the boot list. When we deploy machines in public venues we only allow booting from the hard drive and we turn on the BIOS admin password. Also, a word of warning. Some manufacturers (Lenovo Thinkpads, for example) do not have a good mechanism for resetting the BIOS password if you forget it. In the case of a Thinkpad, you have to replace the motherboard. Most, but not all, manufacturers boards will reset if you remove the battery keeping the CMOS memory alive.