LinkedInX (ex-Twitter)

GENERIC RECOMMANDATIONS

PASSWORDS

It is important to set a password to access the BIOS configuration to ensure that only authorized personnel can view and change the settings.

If an attacker can gain unauthorized access to the BIOS, he can modify its settings to compromise the system. For example, they can configure the BIOS to boot from a malicious device or change settings that disable important system security features.

That is why it is recommended to:

  • Set up a strong password,

  • Avoid using the same password for your entire fleet of terminals,

  • Take into account that mobile devices are more subject to loss / theft when defining the password.

BOOT ORDER

The boot order identifies to the computer the devices that might be allowed. The computer will search each identified device sequentially until it finds an active bootable partition. At that point, the computer will attempt to boot the system or utility found on the first available device.

In many cases, booting to the hard drive is the last option to allow for a repair boot via USB or PXE.

Here are some examples of the dangers of allowing the choice of boot order:

  • Malware installation or means of persistence: the attacker can deploy malware on the computer via a boot on another drive. This software can cause significant damage to the company's entire computer system during the next normal startup (e.g., dropping a malicious file, modifying the registry key, etc.).

  • Data theft: the attacker boots from a removable disk to copy confidential company data and take it with him.

Therefore, it is recommended that:

  • Only the partition on which the system is installed should be booted.

ACTIVATION OF DEVICES

Most modern computers allow the BIOS administrator to determine exactly which device features to expose to the operating system and, therefore, to the user.

For example, via this option it is possible to disable the following devices:

  • IDE/SATA,

  • USB / SD card,

  • Network devices (Wi-Fi, Bluetooth, NFS, GPS, modem, etc.)

  • Microphone / camera

This is why it is recommended to:

  • Only let the equipment that is necessary and supported by your company policy be activated.

    • Keep in mind that reactivation will require going into the BIOS and therefore a standard user will not be able to do it.

SECURE BOOT

In theory this option is always enabled on newer workstations, as it is necessary for a UEFI boot.

Secure Boot is a BIOS/UEFI feature that ensures that a computer boots :

  • using only software approved by the computer manufacturer,

  • has not been altered since its creation,

That is why it is recommended:

  • Leave it enabled,

  • Keep the BIOS/UEFI updated to keep the signatures up to date.

PreviousLIST OF RECOMMANDATIONSNextPROTECTIONS

Last updated