Pau Lo
asked on
BIOS pass word on laptops/desktops
Is there any real benefit in setting a BIOS password on laptops/desktops to prevent your staff messing around with boot sequence if the disc drive is full disc encrypted (bitlocker)?
I have seen numerous boot discs and USB which can exports/crack or even reset local windows password hashes, and booting from linux type distro's for unencrypted systems bypasses windows login so you could access any sensitive local information. But I am not sure if there is any benefit in doing so if the drive is encrypted, as a boot CD/USB wont be able to pull hashes/sensitive files until the C drive has booted and the encryption key entered to make the data accessible?
Are there any remaining risks with not BIOS password if the drive is encrypted, or any benefits still in setting a BIOS password?
I have seen numerous boot discs and USB which can exports/crack or even reset local windows password hashes, and booting from linux type distro's for unencrypted systems bypasses windows login so you could access any sensitive local information. But I am not sure if there is any benefit in doing so if the drive is encrypted, as a boot CD/USB wont be able to pull hashes/sensitive files until the C drive has booted and the encryption key entered to make the data accessible?
Are there any remaining risks with not BIOS password if the drive is encrypted, or any benefits still in setting a BIOS password?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
John, the hard drive password will not protect you from people messing with your bios. Example: I find your laptop and in the bios, I activate some kind of remote access (modern uefi/bios offer terrible things, even VNC server functionality as in Intel's AMT). Since you don't have bitlocker but only rely on the ssd built-in encryption, you will not even notice this. What happens next? You logon to windows and in the background, I access your computer from remote, via internet.
If the machine is off, then you cannot start it to get into BIOS - that was my point about the HDD password.
If the machine is on, you have to get into it. No one has succeeded yet, so I do not lose sleep over this.
If the machine is on, you have to get into it. No one has succeeded yet, so I do not lose sleep over this.
"If the machine is off, then you cannot start it to get into BIOS - that was my point about the HDD password." - You misunderstand things. I can even remove your hard drive and still get into bios. BIOS access is in no way related to your hard drive.
You have to physically have access to the machine, and then (in my experience with my laptops) you cannot change the BIOS password just because you maybe got the machine and removed the hard drive. I only use Lenovo machines so I am coming from that perspective.
You seem confused by my comments. Yes, a Bios password is only important when bad guys come near your machine. I outlined why it makes a difference what encryption we use. Your way does not have any built-in bios monitoring, so it cannot alarm you that someone tinkered with your bios. Bitlocker will alarm you since it will trigger recovery mode when security related bios settings are changed.
And that is, why YOU should set a bios password, while he (the author) does not necessarily have to.
I hope that was more understandable?
And that is, why YOU should set a bios password, while he (the author) does not necessarily have to.
I hope that was more understandable?
For myself (and only me), my ThinkPad has a Hard Drive (SSD) password, so that no one but me starts the computer.