While writing this column over the years, I’ve covered a lot of ground on defensive perimeters and setting up Defense in Depth tools to protect your local resources, and I’ve discussed the importance of mitigating physical risks. But what should you do to protect your systems once they’ve fallen into the wrong hands?
First, let’s define who we’re talking about when we say wrong hands. We’d all like to think of the enemy as a James Bond wannabe trying to steal data for queen and country (or money). But let’s face it: The enemy is most likely the person two cubicles over who thinks he or she needs more permissions than you’ve granted.
These rogue users just want to test your organization’s security for vulnerabilities or load a software program to make their workday more enjoyable. They’re not really malicious, but they can cause plenty of disruption when their freeware program turns out to be a bot loader and enlists your company network to join the bot nation.
And that’s what you need to remember: A lot of times, your biggest threats are already working for you — and they often don’t even have evil intentions. So how do you counteract the fact that they already have physical access to your machines and keep them from wreaking havoc?
The goal is to prevent users from booting from anything other than the hard drive. There are several tools that are bootable from CD-ROM and USB device that allow a user to change the administrator password or install files. And that’s why you need to remove users’ ability to use these tools.
To do so, you need to access the BIOS and lock it down. Keep in mind that there are a lot of different computer companies and several different major BIOS manufacturers.
What if you don’t know how to access the BIOS for a machine? Search the Internet for “yourcomputertype BIOS setup key” (e.g., Dell 6000 BIOS setup key). You can also check out this Web site by Michael Stevens.
Because there are so many different variables, let’s walk through the steps on the machine that I’m currently using: Dell Inspiron E1705. To lock down the BIOS, follow these steps:
1. On boot, press [F2] to access the BIOS setup.
2. Under System, select Boot Sequence.
3. Make sure the Internal HDD is the only device with a number beside it.
4. Press [Esc], and select Save.
5. Under Security, elect Admin Password.
6. Set an admin password. (This will prevent someone from changing boot options or changing the BIOS setup, but it won’t interfere with normal operation.)
And that’s it! Unless an authorized user has the BIOS admin password, he or she will be stuck booting up what your company provides — and nothing else.
Some manufacturers bundle enterprise tools with their servers to manage BIOS options remotely, so you won’t necessarily have to visit every machine in your company to roll out this internal security fix.
Bootable admin password utilities and rootkits are out there, so it’s vital that you make sure they can’t operate on your network. You can prevent users from inadvertently putting your network at risk — it just takes an extra step in your security strategy.