BIOS Security – CompTIA A+ 220-1001 – 3.5

The BIOS in our computers includes a number of security features. In this video, you’ll learn about BIOS passwords, full disk encryption, LoJack for Laptops, and Secure Boot.

<< Previous Video: BIOS Options Next: Installing BIOS Upgrades >>

There are a number of different options inside of your BIOS that can help keep your system safe. And in this video, we’ll look at these options for biosecurity. A common security feature in a BIOS is to set a password.

One type of password that you can set is called either a buyer’s password. You may hear it also referred to as a user password. This is a password that keeps the system from starting unless you know the password.

When you boot your system, a password prompt is presented on the screen. And unless you know the password, the system does not proceed any further. And your operating system does not load.

The other type of password you might see is a supervisor password. A supervisor password doesn’t stop the boot process. The computer works as it normally would.

But if anybody ever goes into the BIOS to make a configuration change, they’ll be prompted for the supervisor password. And no changes to the BIOS can take place until the correct supervisor password is entered. This would be a way for a supervisor to disable or lock down access to certain pieces of hardware. For example, if a supervisor wanted to disable all of the USB interfaces on a computer, they can make those changes in the BIOS, set a supervisor password, and then be assured that no one else could go into the BIOS configuration and undo all of those configuration changes.

Your BIOS can also help provide Full Disk Encryption on your computer. This is sometimes referred to as FDE, where everything that is written onto a disk, including the operating system, is completely encrypted. If someone gained access to one of your devices or tried to read information from your storage devices, they would find that all of that information was encrypted.

In Windows, this full-disk encryption is called BitLocker. And BitLocker integrates with a TPM. This is a Trusted Platform Module. It’s a piece of hardware that’s inside of your computer, maybe a module that you add to a motherboard, or it might be built into the motherboard that you’re using.

This TPM has a random number generator. It can help create cryptographic keys. And it has a number of other advanced cryptographic functions. This TPM integrates with the BIOS to provide the highest level of security for your data.

If someone was to steal your laptop, you may be able to recover it if your laptop has a function in the BIOS enabled called Lojack for Laptops. This is software that was originally called CompuTrace. And it allows you to track where your laptop is– very similar to the vehicle recovery service called Lojack.

The software that enables this Lojack for Laptops functionality is loaded into the operating system. If someone deletes the software or installs a new operating system, the BIOS will install the Lojack for Laptops software into the new operating system. This software allows your computer to phone home and provide location information. But there’s also a theft mode associated with the software, where you can remotely delete the operating system, delete certain files, or force the laptop into having a startup password, and effectively make the laptop worthless to the person who may have stolen it.

One of the challenges we have with malicious software is it can infect the operating system itself. So when you start your computer, it’s already infected with this malware. One way to prevent this is with a function called Secure Boot. Secure Boot is part of the UEFI specification.

So if you’re running a UEFI BIOS, you also have the ability to use Secure Boot. When your system starts up, Secure Boot looks at the core operating system files of your system. And it checks to see if there is a digital signature for those files.

If the digital signature matches the files that are on your hard drive, the system continues to boot. If any of those core operating system files have been modified, the digital signature will fail, and Secure Boot will prevent your system from starting. Support for Secure Boot is available in Windows, in Linux. And in some of these operating systems, they won’t start unless you have Secure Boot enabled in the BIOS.