BIOS Security – CompTIA A+ 220-901 – 1.1

There are many ways to help secure your computer using the BIOS. In this video, you’ll learn about BIOS passwords, LoJack for Laptops, full disk encryption, and Secure Boot.

<< Previous: BIOS ConfigurationsNext: Installing BIOS Upgrades >>

There are a number of different security features built into the BIOS of your system. In this video, we’ll look at many different options available for protecting your system right inside the BIOS.

One way to protect your system is through the use of a user password. This is a password you define in the BIOS– you might also see it called a BIOS password– that you a prompt when you start up your computer. And you have to input the correct password to continue with the boot process. Your operating system won’t even load unless you know this user password. Otherwise, your system is simply not going to start.

Another type of password you can put into your BIOS is a supervisor password. This is one that restricts access to the BIOS. So if you wanted to be sure that nobody was making any changes to the BIOS configurations, then you’ll put a supervisor password on your computer. You can use the user password and the supervisor password independently. So your system might have both a user password and a supervisor password, or it might just have a user password, or it might just have a supervisor password. They’re used independently, depending on what your requirements are for security on that computer.

One popular way of protecting our data these days is with full-disk encryption. That means that we are encrypting every single bit of data on a storage device. We’re not encrypting individual files. We’re encrypting all of the files, including the operating system. So this becomes a little complicated when you’re trying to determine how to boot an operating system that is already encrypted.

One way to do this is by using a piece of software in some Windows editions called Windows BitLocker. This is full-disk encryption when you’re running Windows. It integrates with a part of your BIOS called the TPM. And it’s very useful to have this hardware cryptographic functionality in your BIOS called the Trusted Platform Module.

It’s something that’s either built into the motherboard of the device you’re already using, or there may be a slot like this one on this picture where I can install a TPM onto my motherboard itself. It adds some cryptographic functions so that you can perform this encryption and decryption and keep everything on your storage devices completely safe and secure.

Another security feature you might see in a BIOS, especially a BIOS that is in a laptop computer, is something called LoJack for Laptops. This was originally called CompuTrace. But the name LoJack is so well-known with recovering automobiles that they licensed the name LoJack to use with laptops.

And just like when you lose an automobile, if you were to lose a laptop, this is one way that you could use to try to track down where that laptop happens to be. This is software that is built into the BIOS of the laptop. Software is automatically installed into the operating system you happen to be using.

What’s interesting about this is that if you remove the storage device from the laptop, or you erase everything on that storage device, and you install a brand-new operating system, the BIOS is going to install a new version of LoJack for Laptops onto that operating system. So there’s no way to avoid having LoJack for Laptops running on that particular system.

One of the capabilities included with LoJack for Laptops is a phone home functionality. It will be able to send location information back to a central point and then you can monitor to see where does your laptop happen to be at this moment.

There’s also a theft mode in LoJack for Laptops, so that you can lock down your laptop and put a message on the screen. Or maybe you want to delete all of the sensitive files that might be on that laptop computer.

You might also want to force a startup password, so that even if somebody had your laptop, they wouldn’t be able to use it without that specific password.

One of the constant challenges we have with keeping our system safe is making sure that no malicious software gets into our operating systems. Well, we’ve built capabilities now into our BIOS that will help us maintain the operating systems and ensure that they’re not going to be infected with this malicious software.

This capability is built into the UEFI BIOS, and it’s called secure boot. It is able to provide a digital signature of known good operating system software and compare that to the operating system you happen to be running. This way, if someone was to change any of the operating system, you would know that that change was in place, and your BIOS would prevent any of that from loading.

It is supported, and in fact required, with different operating systems. Windows 8 and 8.1, Windows Server 2012 and 2012 R2 are some examples of operating systems that require this secure boot capability. But of course, it’s not limited to Windows. You can also run some Linux versions using the secure boot– Linux Fedora, openSUSE, Ubuntu, and many other distributions can use this secure boot capability.