BIOS Security 3.4

Administrator Password

Required to access and modify BIOS/UEFI settings; often called the supervisor or setup password.

User Password

Required to boot the OS; may be called system or power-on password. Can be used alone or with an admin password for layered security.

BIOS/UEFI Password Limitations

Offers limited protection; often bypassed by removing the CMOS battery or using a jumper to reset.

Password Tampering Indicator

If an admin password disappears unexpectedly, it may indicate unauthorized access.

Chassis Lock

Prevents case access to avoid physical tampering, like clearing BIOS passwords.

Chassis Intrusion Detection

System detects when the case is opened via an internal switch, triggering alerts in BIOS/UEFI or at boot.

Drive Locking

Requires a password to access the hard disk. Password is stored on the drive, not the motherboard.

Drive Locking: Passwords

Includes user and master passwords, set via BIOS/UEFI. Stored securely and can’t be read from the disk.

Drive Locking: Mobility

Passwords stay with the drive; moving it to another PC still requires the password.

Drive Locking: Format Protection

You can't remove the password by formatting the drive.

Drive Locking: Troubleshooting

If both user and master passwords are lost, data access is impossible.

Drive Locking: Incorrect Attempts

Most systems limit incorrect password tries before requiring a reboot.

Default Master Passwords

Some systems ship with a non-public master password, not available from the manufacturer.

Trusted Platform Module (TPM)

Motherboard chip used for cryptographic key generation, storage, and verification.

TPM Initialization

Configured in BIOS/UEFI; requires owner password for secure management.

TPM: Hardware Verification

Creates cryptographic keys to detect hardware changes and block unauthorized booting.

TPM: Encryption Key Storage

Used by applications (e.g., BitLocker) to securely store encryption keys.

Full Disk Encryption via BIOS/UEFI

Encrypts entire hard drive without OS software. Requires a key stored externally for recovery.

LoJack

Anti-theft tool embedded in firmware. Tracks system via GPS and checks theft reports.

LoJack: Reporting and Recovery

Periodically sends location to vendor server. Helps locate and recover stolen systems.

LoJack: Software Deployment

Motherboard chip contains only a downloader; full service installs in Windows.

UEFI Digital Signature

Prevents unauthorized firmware changes by requiring vendor-signed updates.

Secure Boot

Prevents OS booting unless digitally signed; protects against rootkits and unauthorized OS loading.

Rootkit Protection via Secure Boot

Blocks malware that tries to load before the OS and anti-malware tools.

Fast Startup in Windows

Reduces boot time but may prevent normal BIOS/UEFI access.

Bypassing Fast Startup

Hold Shift while selecting Restart to access UEFI settings.

BIOS Access Keys

Common entry keys: Del, F2, F10, Esc (varies by manufacturer).

Interrupting Boot Process

Boot failing 3 times can trigger recovery mode for BIOS/UEFI access.

Backing Up BIOS Configurations

Save settings by exporting config, screenshots, or notes.

Primary Boot Sequence

Determines boot device order: HDD, SSD, USB, network, etc.

USB Port Restrictions in BIOS

Used in secure environments to prevent data theft or malware via USB devices.

Devices Section in BIOS

Enable or disable hardware like USB ports, NICs, and more.

Clearing BIOS Settings (CMOS Reset)

Use a jumper or remove CMOS battery to reset BIOS, including passwords.

Persistent Memory

Non-volatile memory with RAM-like speed, retains data without power.

Versatile Memory

Flexible memory tech combining features of volatile and non-volatile storage.

HSM (Hardware Security Module)

Hardware device for secure encryption key management and backup.

Cryptographic Accelerators

Hardware features that speed up encryption/decryption tasks.