30

I'm running a server of which I protected the BIOS with a password. One doesn't have to enter this password before booting, but before entering the BIOS setup. I just did this from routine. However, there aren't really interesting settings in the BIOS, are there? I only got settings for date/time, enabling/disabling the drives and ports, etc.

Of course, I don't want that anyone can just enter the setup and set a master boot password on the computer, but that's about protecting against vandalism.

Does password-protecting the system's setup help protect sensitive data in files stored on the system in any way?


This question was featured as an Information Security Question of the Week.
Read the Feb 28, 2014 blog entry for more details or submit your own Question of the Week.

  • 3
    It does absolutely nothing. I can't tell you how many times I've bypassed the BIOS password. Every machine I've had to do this on has a circuit you can pull that will cause the password detection to skip. You just have to open up the machine, and pull the circuit out. It's been a while, but I seem to remember that sometimes, you need to pull the battery out, too. As other people have said, your best option is encrypting your hard drive. Physically blocking access to the interior of your box would be a good idea, too, if you have a BIOS password. – Ryan Amos Apr 22 '13 at 18:05
  • 2
    @RyanAmos - http://static.giantbomb.com/uploads/original/4/45070/1697487-cmos_jumper.jpg ;) – TildalWave Apr 22 '13 at 18:12
  • 1
    @TildalWave I used to volunteer with a non-profit that received computer donations. We had to change the boot order so we could install our modified Ubuntu version on there. Every time there was a password on the BIOS, we just yanked that circuit. Thanks for the picture :D Should help Camil Staps identify theirs. – Ryan Amos Apr 22 '13 at 18:15
  • 4
    @RyanAmos - Some mobos have a _PWD reset_ jumper even (especially server mobos), but even lacking that they would at least have a _clear BIOS_ jumper. Usually, it means switching its position and powering on the mobo for 10 seconds or so, then putting the jumper back in its nominal position (or not even). That is at least true for EEPROMs as they require some current to erase. Some older (or cheaper, i.e. most consumer grade mobos) designs would use CMOS RAM that requires tiny but constant current to keep it's erasable data, so on those you'd only have to power off and remove the battery. – TildalWave Apr 22 '13 at 18:28
  • 2
    @RyanAmos That blue thing in the picture isn't a circuit, it's a jumper. Oh, well, I suppose it *is* a circuit in the sense of "electrical circuit", but so's the electrical wiring in your home. All it does is to electrically bind two pins together. The firmware checks to see which pins (if any) are electrically connected, and acts accordingly. – user Apr 23 '13 at 09:41

3 Answers3

13

The most common thing protected by the BIOS administrator-level password is the boot process. Someone with admin-level access to the BIOS (either by it being unprotected, or via password compromise) can set the computer to boot from whatever media he likes. This will allow an attacker to bypass access restrictions you have in place on any non-encrypted data on your drives. With this, they can:

  • Read any data stored unencrypted on the drive.
  • Run cracking tools against local user credentials, or download the authenticator data for offline cracking.
  • Edit the Registry or password files to gain access within the native OS.
  • Upload malicious files and configure the system to run them on next boot-up.

Of course, access to the BIOS generally means that the attacker has physical access to the computer already. At this point, all bets are off anyway - many BIOS's (and their passwords) can be cleared by a simple jumper on the motherboard, or the attacker could just pull the hard drive and do what they like with it on their own system. That said, a lot of the recommendations in my post here (and other answers in that, and linked, threads) are still worth considering.

  • Encrypt the hard drive
  • Make sure the computer is physically secure (e.g.: locked room/cabinet/chassis)
  • Use strong passwords for encryption & BIOS

Password-protecting the BIOS is not entirely an effort in futility. However, it must not be a measure that is solely relied upon. For the password on your BIOS to be effective in its purpose, there must be other measures in place to prevent it from being bypassed.

Iszi
  • 27,027
  • 18
  • 99
  • 163
  • Yep. And please, when you set the BIOS password, make that password complex and UNIQUE. I've recovered passwords from BIOS's which are re-used in other areas of orgs and assisted in getting further into a network – NULLZ Apr 24 '13 at 05:16
  • IP KVM often allows for BIOS access w/o physical access, which means it isn't that rare for servers. – derobert Apr 24 '13 at 15:10
  • @NULLZ Sorry for the necromancy, but do I understand you correctly that BIOS passwords are normally stored in plain text (as opposed to a hash or some such thing?) – reirab Jan 09 '15 at 19:58
12

Not in any meaningful way: the only thing this might prevent is a malicious, physical attacker rebooting the computer from a liveUSB/liveCD (and thus gaining offline accesss to your data).

If you want to protect sensitive data, you need to set up some sort of disk encryption (so that the data is only accessible when your system is running); note that this would require some interaction at boot (e.g. entering a passphrase).

  • 3
    Encrypting the entire storage device is really the only way to prevent access to the data on the storage device. Secure Boot and a password protected BIOS will protect the boot order, which of course is useless, if the data isn't encrypted and the hdd can just be pulled and placed into another pc. – Ramhound Apr 22 '13 at 16:25
12

An attacker who can be physically present in front of the computer can also open the case with a screwdriver and have it his own way on the disk; or he can simply run off with the computer under his arm. No BIOS password will give you any protection against that. BIOS passwords offer any protection only against attackers who are assumed no to go physical at the machine. In that case, the BIOS password protects... the BIOS settings.

The two settings which the attacker may want to alter are the current date, and the boot sequence. The boot sequence is rather obvious: by changing it, the attacker can make the machine boot off a USB key he brought, instead of the hard disk, giving him full access to the hard disk and its precious files.

Changing the date is more an edge case; by making the machine believe it is in the far past, the attacker may trigger some other behaviour which could impact security. For instance, if the OS-level logon uses smart cards with certificates, then the OS will verify that the certificate has not been revoked. If the attacker got to steal a smart card with its PIN code, but the theft was discovered and the certificate was revoked, then the attacker may want to alter the date so that the machine believes that the certificate is not yet revoked.

Recent machines may use something called UEFI: a new standard for booting operating systems. One feature of it is that the bootloader can be signed, and the BIOS verifies that signature; it won't boot an unsigned OS. This is called Secure boot. However, most BIOS allow for the deactivation of this feature. This is another BIOS setting that the BIOS password can protect.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Side note: Not all BIOS passwords even protect the boot sequence. I have two different machines on my desk, both with BIOS passwords set, but in both cases you can hit a boot-time key and they'll let you pick which device to boot from. – Michael Kohne Dec 06 '17 at 13:16