S 4.84 Use of BIOS security mechanisms

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Modern BIOS versions, such as UEFI (Unified Extensible Firmware Interface), offer a number of security mechanisms, and the system administrators should be familiar with these mechanisms. In no case should untrained users make changes to the BIOS settings because this can result in serious damage.

• Write protection: Many mainboards have a hardware write protection for the BIOS (usually in form of a jumper on the mainboard). If such a write protection exists, it should be used and only removed in case of necessary changes to the BIOS, for example after a necessary BIOS update (see S 6.27 Secure update of BIOS). It should then be reactivated.
• Password protection: Most BIOS versions offer an option for enabling password protection. These mechanisms are sometimes relatively easy to overcome, but they should always be used if there are no other access protection mechanisms available.
  
  It is usually possible to choose if the password should be queried every time the computer boots or only when the BIOS settings are accessed. In some cases, it is even possible to specify different passwords for this purpose. To prevent unauthorised persons from changing the BIOS settings, the setup or administrator password should always be enabled.
• Boot sequence: The boot sequence should be specified so that it is only possible to boot from the data medium with the intended operating system. Booting from other data media should be prevented. This protects against infections of certain types of malware in cases where a data media is accidentally left in the computer, for example.
  
  Not specifying a boot sequence can make it possible to bypass the access protection mechanisms (see S 4.1 Password protection for IT systems) and other security safeguards. As an example, it would then be possible to start another operating system so that the security attributes specified are ignored (see S 4.49 Protection of the boot procedure for a Windows system).
  
  As a rule, an attempt to boot the computer should be made to ensure the boot sequence specified is actually used because some controllers will ignore the internal boot sequence and need to be configured separately.
• Virus protection, virus warning: When this function is enabled, the computer will request confirmation for all changes made to the boot sector or the MBR (master boot record) before actually saving the changes. If the BIOS version used supports a virus warning function, then this function should be enabled to gain additional protection.

Review questions:

• Is the BIOS configured so that the BIOS settings can only be changed after entering a password and/or removing a hardware write protection?
• Were the BIOS settings tested to ensure the boot sequence specified leads to booting from the hard drive?
• Is the virus warning function of the BIOS enabled to protect it against unwanted changes to the boot sector or the MBR (master boot record)?