What kind of safety does the BIOS password guarantee?

Asked 2 months ago, Updated 2 months ago, 5 views

Question

What are typical BIOS passwords and what kind of safety do they guarantee?

Background

When I was reading someone else's question, I noticed that there were several things called BIOS passwords.If you look at English Wikipedia, it says that there are many different passwords in the BIOS as follows:

Setting various passwords, such as a password for securing access to the BIOS user interface functions itself and preventing malicious users from booting the system from unauthorized portable storage devices, a password for booting the system, or a hard disk drive password that limits access to it and stays assigned even if the hard disk drive is moved to another computer

In other words, there are at least three types:

When I was thinking about how this works, I realized that there were a few things I didn't know.

  • What exactly does the first password want to protect in the BIOS settings?Do you mean that you want to prevent inadvertent changes in the boot order?But if you can replace the connected storage itself, won't you be able to boot from another storage without changing the boot order?
  • I understand that the second password is to request a password before the OS starts up, so that it won't log in unauthorizedly, for example, after booting the system over the network, such as a bug in the operating system or other software.
  • Where is the third password stored in the first place?Even if I try to protect my hard disk, I feel like I'm going to get up if I just take it out and boot it to another system, but is that not possible?

Overall, there is a lack of understanding of how BIOS is implemented, and it is impossible to determine what each password is protecting and what it really means.

So, I have a question: What are the typical BIOS passwords and what kind of security do they each guarantee? I mean, what assumptions do each password keep? In what situations does it make no sense to set a password?

security bios

2022-09-30 14:12

2 Answers

I think the response will vary depending on the manufacturer, but I will try to answer with reference to Dell example.

p>

Password to request when launching the BIOS UI.

I think the main purpose is to prevent inadvertent configuration changes, including misoperation.

In most cases, pressing a specific key will cause the BIOS screen to boot, but unfamiliar users may unintentionally boot and change the settings without knowing what to do.

Password to request when booting the system.

As for the password to protect the system, if it is physically accessible (=removed) as you are concerned, the contents will be read.

Password to request before accessing the hard disk.

The hard drive itself is set with a password, so even if it is pulled out, it will not be able to sneak a look inside.

There seems to be a way to set it up from Windows, so I think it's just a way to set it up on a hard drive rather than a BIOS feature.

reference:
What passwords can be set in the BIOS - Dell Community


2022-09-30 14:12

Depending on usage and purpose of use, I think it will change how much and how much it is meaningful, so I will answer with specific usage examples.

PCs commonly used by multiple users, such as study PCs in school classrooms and PC's for users in PC rooms.

These PCs are not easily broken down by security locks and are not easily taken out by security wires.It's not really impossible, but if you don't have a proper key, you'll have to force it open with a tool, so think it's impossible to extract only the HDD (which may be SSD, but I won't tell you in this answer).

What these PCs must prevent is that they go beyond the limitations of the features available to them.To prevent attacks on the network or other PCs, users should not be given administrative privileges and should limit the available features.It means that they should not be torn.The minimum requirement is to properly configure and manage the operating system, such as not giving users administrative privileges.

What we need to think about is how to prevent the above restrictions from being removed without going through the OS.No matter how strong and configured the operating system is, if you can boot another operating system from a DVD or USB, you have the freedom to modify the hard drive in your PC.In such cases, there are many ways to deprive the hard drive of administrative privileges unless it is encrypted separately.In other words, you need to prevent another OS boot.

The BIOS allows you to limit the number of bootable devices.It can only boot to the hard drive in the PC and not to the DVD or USB.However, no matter how much you limit the settings, there is no point if the user can manipulate the BIOS settings.This is because you can change the BIOS settings and boot from a DVD or the like.That's where the password you'll need to launch the BIOS UI appears.

If the password required to start the BIOS UI is set, users who do not know the password cannot change it to boot from a DVD or the like, so they cannot use a different operating system.Because the hard drive cannot be physically pulled out, the user will not have the means to modify the hard drive in the PC to suit their convenience.This prevents the administrator from attempting to exceed the limit.

Therefore, it is essential to set the password required to launch the BIOS UI on these shared PCs.It also means preventing mischief, such as setting the BIOS strangely and disabling it.

これ This does not mean that security is complete, but it is just one of the things to be implemented to prevent other OS boot restrictions from being avoided.

メーカー Depending on the manufacturer, you may be able to change the BIOS settings from the OS.Even so, administrator privileges are required to make configuration changes, and users are not allowed to make configuration changes in principle.


2022-09-30 14:12

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.