Link to home
Start Free TrialLog in
Avatar of kiggsondrome
kiggsondrome

asked on

Dell optiplex 755 : how do i write protect the bios

Hi

I need virus protection for the bios of my Dell optiplex 755,
is there a jumper or bios setting to write protect the bios?

Another question would be what else (graphic card, pci card) has
to get locked down to prevent unauthorized flashing.

I'm currently trying to find new pcs with halfway decent security
implementations, any ideas or websites on this topic?
Avatar of arnold
arnold
Flag of United States of America image

You can set a bios password using f2.
SOLUTION
Avatar of _
_
Flag of Bahamas image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi  kiggsondrome
If you google>How to Bypass or Remove a BIOS Password
you'll understand how futile could be.
Most good anti virus software have an option to run a virus boot scan when starting windows.
Viruses usually infest the MBR/  of your HDD not the bios that is if they get in.
Bootkits.
Short for Master Boot Record,  is a small program that is executed when a computer boots up.
Typically, the MBR resides on the first sector of the hard disk.
The program begins the boot process by looking up the partition table to determine which partition to use for booting.
It then transfers program control to the boot sector of that partition, which continues the boot process.
An MBR virus is a common type of virus that replaces the MBR with its own code.
Since the MBR executes every time a computer is started, this type of virus is extremely dangerous.
How To Check For And Fix MBR Virus Infection
http://techlogon.com/2012/01/15/how-to-check-for-and-fix-mbr-virus-infection/

Are your concerned about the Nitol botnet viruses that has reportedly been installed and compromised windows 7 new systems
http://www.theregister.co.uk/2012/10/04/nitol_botnet_settlement/

If you have great concerns moving to windows 8 with a new system may help  windows 8 is built on The Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS).
UEFI is expected to eventually replace BIOS.
Windows 8 provides additional support for security features to help to prevent unauthorized firmware, operating systems, or UEFI drivers from running at boot time.
These features include Secure Boot and support for factory-encrypted drives.
UEFI firmware is required to support large disks (over 2 TB).
This firmware can also provide faster boot and resume speeds, by reading and using data more efficiently
Source
http://msdn.microsoft.com/en-us/library/windows/hardware/br259114.aspx
If your interested in knowing >
How to Install Windows 8 Using the "Unified Extensible Firmware Interface" (UEFI)
http://www.eightforums.com/tutorials/2328-uefi-unified-extensible-firmware-interface-install-windows-8-a.html

There is really noway to be 100% dependent on a utility to protect your computer and the USB drives emails bios etc.
Viruses malware hackers need you to let them in.
So the true responsibility is on what you open and run.
Or the windows user.
Viruses can disguise themselves for sure but with the right level of security onboard / updated daily, that is what updates to your AV are, every time a new threat is found a fix is provided in the AV updates, and scanned once a week combined with a sound knowledge of the threats you should be right.
Set IE 9 to delete history on exit.
Keep your windows updated from MS windows updates.
It includes the malicious software remover.
Be informed is your true key to safety.
Take this for example.
How Hackers Can Disguise Malicious Programs With Fake File Extensions
To prevent users from having control of their PC just increase their UAC controls make them non administrators.
The ultimate safety is Linux or move to Mac
Hope you find it interesting.
Regards Merete
it is not easy to bypass a bios password on modern pc's, so i suggest using one, since ther's no other way known, other than cutting the write entry of the chip
Avatar of kiggsondrome
kiggsondrome

ASKER

Sometimes a bios update can be helpful and
more convenient :) On the Optiplex there's now
an irreversible "signed firmware update" option
which is supposed to be 100% secure.

Nevertheless i'm still interested getting mainboard
recommendations with jumper or other physical
write protection.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Which windows ?
All new systems have a trial version of either Mcfee or Norton System works one or the other. Windows 7 has inbuilt Windows Defender

You'll need to run windows updates first run and setup an email client stuff like that.

You set group policies to prevent flashing of video card prevent installing, but this may be a global setting and thus prevent anything from being installed.
but realistically unless the user is an limited user account but rather an administrative account is more difficult to prevent.
Threats and Countermeasures Guide: Software Restriction Policies
Applies To: Windows 7
There are two ways to use software restriction policies:
1. If an administrator knows all of the programs that should run, then a software restriction policy can be applied to allow only this list of trusted applications.
2. If all the applications that users might run are not known, then administrators can disallow undesired applications or file types as needed.
http://technet.microsoft.com/en-us/library/hh125926(v=ws.10).aspx

Software Restriction policies
Please refer to this article to configure it:
 Using Software Restriction Policies to Protect Against Unauthorized Software windows XP
 http://technet.microsoft.com/en-us/library/bb457006.aspx
 
If you have only Win 7 clients, you can use AppLocker policies, refer to these articles to configure it:
 AppLocker Step-by-Step Guide
 http://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx
 AppLocker Operations Guide
 http://technet.microsoft.com/en-us/library/ee791916(v=ws.10).aspx

How to Set a BIOS Password on Your Laptop
http://www.wikihow.com/Set-a-BIOS-Password-on-Your-Laptop
Setting a BIOS Password
http://www.lockdown.co.uk/?pg=biospsw
>> Nevertheless i'm still interested getting mainboard recommendations with jumper or other physical write protection.

I haven't come across any with that feature in several years.
I think the last motherboard I saw where you had to move a jumper to flash the BIOS, was an old Intel motherboard with a PIII on it.
Dell optiplex 755 intrusion switch lets you know if anyone has opened the case
From the DEL optiplex 755 this Bios Password is supported.
You'd probably be interested in this one first, click on jumpers shows the pswd switch on the motherboard
Advanced Features
http://it.pickensit.com/User's%20Guides/Dell%20Optiplex%20755/advfeat.htm

There's actually lots of good technical specs on this system.

Extract
Security Wave EMBASSY® Trust Suite, Chassis loop lock support (with cable locks available), Chassis intrusion switch, Setup/BIOS Password, I/O Interface Security, Smart Card and Bio-metric readers,
Intel vPro Circuit Breaker technology, Intel® Trusted Execution Technology and VT-d Intel® Management Engine BIOS Extension (MEBx)
http://basic-bg.com/Computers/PDF/DELL/Dell%20Optiplex%20755.pdf
Specific provisioning and pre-configured setting options for iAMT and Intel ... password jumper (PSWD).
Page 37
http://www.dell.com/downloads/global/products/optix/en/opti_755_techspecs.pdf

Dell™ Systems Management Administrator's Guide
http://support.dell.com/support/edocs/systems/latd630/en/amt/MEBX.htm
Chassis Intrusion Switch
http://support.dell.com/support/edocs/systems/opgx620/en/ug/A02/chsintr0.htm
Dell OptiPlex 755 User's Guide
http://www.manualowl.com/m/Dell/OptiPlex-755/Manual/187358
Fortunately with the aspire and veriton series it
looks like acer is one of the few or the only
manufacturer who never stopped production of
mainboards with physical bios protection.

From my point of view i think we should support
manufacturers who give us a choice :)

"This document is the second in a series of publications
on BIOS protections. The first document, SP800-147, BIOS
Protection Guidelines, was released in April 2011 and
provides guidelines for desktop and laptop systems
deployed in enterprise environments."

http://csrc.nist.gov/publications/PubsDrafts.html

With the latest update on the optiplex i still see the
current bios version and also it looks like i have brute
force password access to the bios directly from windows 7.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
maybe i give a bit more info later :)
Ok i'm trying to fix this with an openbsd firewall, bootitng,
a few 80gb harddrives and write protectable usb sticks.
I have an openbsd hardware firewall now, but
it looks like openbsd also somehow got compromised.

Possibly i'll need better firewall rules, i'll get to this
in another question.
Thank you much.