Tuesday, 14 October 2014

How to Secure Your Computer With a BIOS or UEFI Password

How to Secure Your Computer With a BIOS or UEFI Password



enter-bios-password-at-boot
A Windows, Linux, or Mac password just prevents people from logging into your operating system. It doesn’t prevent people from booting other operating systems, wiping your drive, or using a live CD to access your files.
Your computer’s BIOS or UEFI firmware offers the ability to set lower-level passwords. These passwords allow you to restrict people from booting the computer, booting from removable devices, and changing BIOS or UEFI settings without your permission.

When You May Want to Do This

Most people shouldn’t need to set a BIOS or UEFI password. If you’d like to protect your sensitive files, encrypting your hard drive is a better solution. BIOS and UEFI passwords are particularly ideal for public or workplace computers. They allow you to restrict people from booting alternative operating systems on removable devices and prevent people from installing another operating system over the computer’s current operating system.
Warning: Be sure to remember any passwords you set. You can reset the BIOS password on a desktop PC that you can open fairly easily, but this process may be much more difficult on a laptop you can’t open.
invalid-bios-password

How It Works

Let’s say you’ve followed good security practices and have a password set on your Windows user account. When your computer boots, someone will have to enter your Windows user account password to use it or access your files, right? Not necessarily.
The person could insert a removable device like a USB drive, CD, or DVD with an operating system on it. They could boot from that device and access a live Linux desktop — if your files are un encrypted, they could access your files. A Windows user account password doesn’t protect your files. They could also boot from a Windows installer disc and install a new copy of Windows over the current copy of Windows on the computer.
You could change the boot order to force the computer to always boot from its internal hard drive, but someone could enter your BIOS and change your boot order to boot the removable device.
A BIOS or UEFI firmware password provides some protection against this. Depending on how you configure the password, people will need the password to boot the computer or just to change BIOS settings.
Of course, if someone has physical access to your computer, all bets are off. They could crack it open and remove your hard drive or insert a different hard drive. They could use their physical access to reset the BIOS password — we’ll show you how to do that later. A BIOS password still does provide extra protection here, particularly in situations where people have access to a keyboard and USB ports, but the computer’s case is locked up and they can’t open it.
bios-password-options

How to Set a BIOS or UEFI Password

These passwords are set in your BIOS or UEFI settings screen. On pre-Windows 8 computers, you’ll need to reboot your computer and press the appropriate key during the boot-up process to bring up the BIOS settings screen. This key varies from computer to computer, but is often F2, Delete, Esc, F1, or F10. If you need help, look at your computer’s documentation or Google its model number and “BIOS key” for more information. (If you built your own computer, look for your motherboard model’s BIOS key.)
In the BIOS settings screen, locate the password option, configure your password settings however you like, and enter a password. You may be able to set different passwords — for example, one password that allows the computer to boot and one that controls access to BIOS settings.
You’ll also want to visit the Boot Order section and ensure the boot order is locked down so people can’t boot from removable devices without your permission.
set-bios-password-options
On post-Windows 8 computers, you’ll have to enter the UEFI firmware settings screen through Windows 8′s boot options. Your computer’s UEFI settings screen will hopefully provide you with a password option that works similarly to a BIOS password.
access-uefi-firmware-settings
On Mac computers, reboot the Mac, hold Command+R to boot into Recovery Mode, and click Utilities > Firmware Password to set a UEFI firmware password.

How to Reset a BIOS or UEFI Firmware Password

You can generally bypass BIOS or UEFI passwords with physical access to the computer. This is easiest on a desktop computer that’s designed to be opened. The password is stored in volatile memory, powered by a small battery. Reset the BIOS settings and you’ll reset the password — you can do this with a jumper or by removing and reinserting the battery. Follow our guide to clearing your computer’s CMOS to reset a BIOS password.
This process will obviously be more difficult if you have a laptop you can’t open up. Some computer models may have “back door” passwords that allow you to access the BIOS if you forget the password, but don’t count on it.
You may also be able to use professional services to reset passwords you forget. For example, if you set a firmware password on a MacBook and forget it, you may have to visit an Apple Store to have them fix it for you.
remove-cmos-battery-to-reset-bios-settings

BIOS and UEFI passwords aren’t something most people should ever use, but they’re a useful security feature for many public and business computers. If you operated some sort of cybercafé, you’d probably want to set a BIOS or UEFI password to prevent people from booting into different operating systems on your computers. Sure, they could bypass the protection by opening up the computer’s case, but that’s harder to do than simply inserting a USB drive and rebooting.

No comments:

Post a Comment