BIOS Security

3547

The A+Exam Cram 6th Edition talks about the BIOS, its relationship with the CMOS and lithium battery, what you should monitor in the BIOS, and some basic BIOS security techniques. This short article condenses what you should know when it comes to BIOS security.

The BIOS can be the victim of malicious attacks; for mischievous persons it can also act as the gateway to the rest of the system. Protect it! Or your computer just might not boot. Here are a few ways to do so:

Use a BIOS password: The password that blocks unwanted persons from gaining access to the BIOS is also known as the supervisor password. Don’t confuse it with the user password (or power-on password) that is employed so that the BIOS can verify a user’s identity before accessing the operating system. Both of these are shown
in the figure below.

On a semi-related note, many laptops come equipped with drive lock technology; this might simply be referred to as an HDD password. If enabled, it prompts the user to enter a password for the hard drive when the computer is first booted. If the user of the computer doesn’t know the password for the hard drive, the drive will lock and the OS will not boot. An eight digit or like hard drive ID usually associates the laptop with the hard drive that is installed, as shown in the figure. On most systems this password is clear by default, but if the password is set and forgotten, it can usually be reset within the BIOS. Some laptops come with documentation clearly stating the BIOS and drive lock passwords.

Flash the BIOS: Flashing is the term used to describe the updating of the BIOS. By updating the BIOS to the latest version, you can avoid possible exploits and BIOS errors that might occur. All new motherboards issue at least one new BIOS version within the first 6 months of the motherboard’s release. For more information on BIOS updating, see Chapter 2, “Motherboards” in the A+ Exam Cram 6th edition.

Configure the BIOS: Setup the BIOS to reduce the risk of infiltration. For example, change the BIOS boot order (boot device priority) so that it looks for a hard disk first and not any type of removable media. Also, if company policy requires it, disable removable media including USB ports and the floppy drive. Make sure that any unnecessary options are disabled, such as WOL and PXE. Consider turning on case intrusion monitoring. This logs whether the case was opened and when.

On a final note, these concepts should be considered for a virtual machine’s BIOS as well. Secure the BIOS of your physical and virtual computers, and it will help to protect the entire computer and operating system.