IT Baseline Protection Manual S 4.84 Use of BIOS security mechanisms
S 4.84 Use of BIOS security mechanisms
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator, IT users
Modern BIOS variants offer a large number of security mechanisms. Users or system administrators should acquaint themselves with the options available. Untrained users should never change BIOS entries as severe damage can be the result.
Password protection: most BIOS variants offer activation of a boot password. A BIOS password is not difficult to overcome, but it should definitely be used wherever better access safeguards are not available. In most cases it can be selected whether the password is required for booting or only for changing BIOS settings. Sometimes different passwords can be employed for these checks. The setup or administrator password should always be enabled to prevent unauthorised changes being made to the BIOS settings.
Some BIOS variants support password protection for floppy disk drives. Unfortunately only few BIOS variants support this option. If available it should be enabled to prevent unauthorised installation of software and illicit copying of data.
Boot sequence: the boot sequence should be set so that the first option is always to boot from the hard disk. "C,A" should therefore be used, for example. This will protect against infection with boot viruses if a floppy disk in left in the drive by accident. It also saves time, and saves wear on the floppy disk drive.
Rearrangement of the boot sequence is intended to prevent the boot procedure from being carried out from an external data medium. This is to ensure that the system does not access a floppy disk in the floppy disk drive during booting, which could result in a boot virus infecting the PC (see T 5.23 Computer viruses). Depending on which BIOS and operating system is used, it may also be necessary to prevent booting from other exchangeable data media such as CD-ROMs.
Without rearrangement of the boot sequence it is also possible to circumvent other safeguards, such as access protection mechanisms (see S 4.1 Password protection for IT systems). One example is the ability to start a different operating system, with the effect of ignoring any security attributes that have been set (see S 4.49 Safeguarding the boot-up procedure for a Windows NT system).
The effectiveness of the rearrangement of the boot sequence should always be checked by a boot test, because some controllers deactivate the internal sequence and need to be set separately.
Virus protection / warning: if this feature is enabled, the computer requests confirmation every time a change is made to the boot sector or the MBR (master boot record).