IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.84 Use of BIOS security mechanisms
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator, IT users
Modern BIOS variants offer a large number of security mechanisms. Users or
system administrators should acquaint themselves with the options available.
Untrained users should never change BIOS entries as severe damage can be
the result.
- Password protection: most BIOS variants offer activation of a boot
password. A BIOS password is not difficult to overcome, but it should
definitely be used wherever better access safeguards are not available. In
most cases it can be selected whether the password is required for booting
or only for changing BIOS settings. Sometimes different passwords can be
employed for these checks. The setup or administrator password should
always be enabled to prevent unauthorised changes being made to the
BIOS settings.
Some BIOS variants support password protection for floppy disk drives.
Unfortunately only few BIOS variants support this option. If available it
should be enabled to prevent unauthorised installation of software and
illicit copying of data.
- Boot sequence: the boot sequence should be set so that the first option is
always to boot from the hard disk. „C,A“ should therefore be used, for
example. This will protect against infection with boot viruses if a floppy
disk in left in the drive by accident. It also saves time, and saves wear on
the floppy disk drive.
Rearrangement of the boot sequence is intended to prevent the boot
procedure from being carried out from an external data medium. This is to
ensure that the system does not access a floppy disk in the floppy disk
drive during booting, which could result in a boot virus infecting the PC
(see T 5.23 Computer viruses). Depending on which BIOS and operating
system is used, it may also be necessary to prevent booting from other
exchangeable data media such as CD-ROMs.
Without rearrangement of the boot sequence it is also possible to
circumvent other safeguards, such as access protection mechanisms (see S
4.1 Password protection for IT systems). One example is the ability to start
a different operating system, with the effect of ignoring any security
attributes that have been set (see S 4.49 Safeguarding the boot-up
procedure for a Windows NT system).
The effectiveness of the rearrangement of the boot sequence should always
be checked by a boot test, because some controllers deactivate the internal
sequence and need to be set separately.
- Virus protection / warning: if this feature is enabled, the computer requests
confirmation every time a change is made to the boot sector or the MBR
(master boot record).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000