Does password-protecting a server's BIOS help in securing sensitive data?

The most common thing protected by the BIOS administrator-level password is the boot process. Someone with admin-level access to the BIOS (either by it being unprotected, or via password compromise) can set the computer to boot from whatever media he likes. This will allow an attacker to bypass access restrictions you have in place on any non-encrypted data on your drives. With this, they can:

  • Read any data stored unencrypted on the drive.
  • Run cracking tools against local user credentials, or download the authenticator data for offline cracking.
  • Edit the Registry or password files to gain access within the native OS.
  • Upload malicious files and configure the system to run them on next boot-up.

Of course, access to the BIOS generally means that the attacker has physical access to the computer already. At this point, all bets are off anyway - many BIOS's (and their passwords) can be cleared by a simple jumper on the motherboard, or the attacker could just pull the hard drive and do what they like with it on their own system. That said, a lot of the recommendations in my post here (and other answers in that, and linked, threads) are still worth considering.

  • Encrypt the hard drive
  • Make sure the computer is physically secure (e.g.: locked room/cabinet/chassis)
  • Use strong passwords for encryption & BIOS

Password-protecting the BIOS is not entirely an effort in futility. However, it must not be a measure that is solely relied upon. For the password on your BIOS to be effective in its purpose, there must be other measures in place to prevent it from being bypassed.


Not in any meaningful way: the only thing this might prevent is a malicious, physical attacker rebooting the computer from a liveUSB/liveCD (and thus gaining offline accesss to your data).

If you want to protect sensitive data, you need to set up some sort of disk encryption (so that the data is only accessible when your system is running); note that this would require some interaction at boot (e.g. entering a passphrase).


An attacker who can be physically present in front of the computer can also open the case with a screwdriver and have it his own way on the disk; or he can simply run off with the computer under his arm. No BIOS password will give you any protection against that. BIOS passwords offer any protection only against attackers who are assumed no to go physical at the machine. In that case, the BIOS password protects... the BIOS settings.

The two settings which the attacker may want to alter are the current date, and the boot sequence. The boot sequence is rather obvious: by changing it, the attacker can make the machine boot off a USB key he brought, instead of the hard disk, giving him full access to the hard disk and its precious files.

Changing the date is more an edge case; by making the machine believe it is in the far past, the attacker may trigger some other behaviour which could impact security. For instance, if the OS-level logon uses smart cards with certificates, then the OS will verify that the certificate has not been revoked. If the attacker got to steal a smart card with its PIN code, but the theft was discovered and the certificate was revoked, then the attacker may want to alter the date so that the machine believes that the certificate is not yet revoked.

Recent machines may use something called UEFI: a new standard for booting operating systems. One feature of it is that the bootloader can be signed, and the BIOS verifies that signature; it won't boot an unsigned OS. This is called Secure boot. However, most BIOS allow for the deactivation of this feature. This is another BIOS setting that the BIOS password can protect.

Tags:

Passwords

Webserver

Server

Bios

Related

Is it appropriate to use haveged as a source of entropy on virtual machines? What are the risk implications of not verifying referer header on login form? How do random attackers discover websites to target? Ingress and Pokémon GO collect a lot of data - what impact could this have on my privacy or security? TCP Sequence Prediction and it's prominence in modern systems/networks What is the difference between Exploit and Payload? What is the distinguishing point between a script kiddie and a hacker? Dataflow diagram - how far do I need to drill down? how can you inject malicious code into an innocent-looking URL? How can I identify / discover files hidden with ADS? Should web sites disable form autocomplete on all forms? Is there a secure way to have a publicly facing terminal server?

Recent Posts