copyright notice
accesses since June 16, 2004

Defense-in-Depth: Hardening the BIOS

Hal Berghel

For most managers and executives, pondering how their computer works is not a worthwhile exercise. In this column I’ll try to take the pain out of securing your computer’s first line of defense: the Basic Input Output System (BIOS). If Katie Couric can have a colonoscopy on live television before millions of viewers, you can bite the bullet and harden your BIOS.

THE BIOS AND THE BIG BANG

The Big Bang model is the cosmological theory that holds that the universe started from an explosion of an infinitely dense and infinitely small point in space-time called a singularity. Personally, I have a problem with visualizing things that are both infinitely dense and infinitely small, but that’s just me. Black Holes? Dark Matter? Anti-Matter? Superstrings? I’ll have none of them. These are all cosmological fluff bunnies whose sole function is to keep otherwise unemployed astrophysicists feeding off the departmental pork. And this whole train got rolling when Hubble claimed that the red-shift of the spectrum of distant galaxies proved that their distance is proportional to the speed that they’re moving away from each other, and thus the universe is expanding. Faulty optics, I say. Hubble’s telescope must have had a light leak that caused the spectral lines to look redder than they actually were. Question everything, I was told as a young lad.

Since Carl Sagan overlooked the similarity between the Big Bang and your computer’s BIOS, I shall rise to the challenge here. The parallel is this: both the Big Bang and your BIOS are needed to get things started – the formation of our universe in the former case, and the bootup of your computer in the other. Coincidental, I hear you cry? I wonder.

WHAT A BIOS DOES

In the Jurassic period of desktop computing (i.e., the 1970’s), personal computers were “booted” by setting “dip” switches on the front panel (cf. http://americanhistory.si.edu/csr/comphist/objects/altair.htm). This “setup sequence” determined the initial system state of the computer and prepared it for the next instruction – perhaps to read a program from a tape drive or accept input from a teletype keyboard. It didn’t take much more than a New York minute to figure out that there had to be a better way to get the computer fired up. Therein lies the motivation for the BIOS. Early BIOS’ had the setup parameters hard coded on the mother board, then later in flash memory. Modern BIOS’ have all types and varieties of setup and configuration settings.

To illustrate, take a look at Figures 1 and 2. Figure 1 reveals that this computer has a 1.44MB floppy drive connected to one port of the diskette drive controller, but that the second port is disabled. We also note from the main page of the BIOS interface that the computer has been set up so that the boot-time diagnostics will not appear on the monitor.

Figure 1: Typical Main BIOS Screen

Figure 2: Using the BIOS to Define the Boot Sequence

If we move over to the Boot Sequence page (Figure 2) we see that the computer will boot from the floppy first, then the hard disk, then the CD, and finally from the Network interface. What is wrong with this picture?

Figure 2 reveals that our computer’s first line of defense is a line in the sand. The explanation lies in both the order of the boot sequence and the selection of enabled boot devices.

Let’s assume that Figure 2 belongs to your desktop computer. You have an XP Pro workstation on your desk with all the latest hotfixes and service packs installed. Further, you’ve got the latest Norton Anti-Virus program installed and running. Since you are ultra-protective of your organization’s IP and trade secrets, you’ve also got both a software firewall and a hardware firewall correctly configured and operational between you and the Ethernet connection in the wall. Of course your Enterprise servers are assumed hardened and secure. Are you vulnerable to a hack attack? – absolutely.

The reason is that you ignored the problem of physical intrusion through the BIOS. Look carefully again at the boot sequence in Figure 2. When your computer is turned on, it will try to boot from the first device in the list. In this case it’s the legacy floppy drive. Suppose that someone re-boots your computer from the floppy disk with a “mini OS” on it. Your computer will load and execute that OS, not your licensed version of XP Pro that Bill provided. If the OS has nothing more than a command processor and accepts input from the keyboard (e.g., as in a DOS Window), the computer is vulnerable to file copies, file erases, disk formats, and other dastardly deeds to scary to contemplate.

The problem is that the BIOS is the lowest-level entry point of your computer. Having an unsecured BIOS is like leaving the storm door open while the rest of the house is locked.

THE YIN-YANG OF BIOS

In Chinese philosophy of Yin-Yang is a study in complementary forces. Yin is characterized as female, earthy, even-numbered, and represented by the tiger, while Yang is the opposite, and represented by the dragon. Your BIOS is your computers Yin to the operating systems Yang. The BIOS is rudimentary, hardware-oriented, and inherently limiting, while the operating system is complex, software-oriented and expressive. This forms the fundamental tenet of my new religion that I’m introducing in this issue of Gaming and Leisure: T’ai Chi for nerds or, if you live in California , Silicon Scientology.

With an important exception that I’ll get to in a moment, whatever the BIOS givith the BIOS can taketh away. Our BIOS gave boot permission to a floppy drive – an exceedingly bad idea for the security minded. But, the BIOS can make things right by taking that permission away – a far better idea. As the BIOS can boot the computer with the NUMLOCK key on, so it can boot with it off.

A detailed analysis of the modern BIOS is beyond the scope of this column for 2 reasons. For one, every computer manufacturer puts a slightly different twist on the way they configure their BIOS, so there are no standardized settings. For another, there are too many combinations of settings to explore in the space available. However, I can give some general advice. As a rule, if there’s no good reason for enabling a BIOS feature, disable it. Here are some things to think about:

Computer access is near trivial if one leaves the BIOS un-secured. Step 1 is to set up the BIOS with a strong supervisory password (this doesn’t apply to computers that must remain on 24/7 because the password needs to be entered to get beyond the boot sequence. Servers fall in this category.) Step 2 is to LOCK the BIOS settings so that the BIOS can’t be changed without the supervisory password. These 2 steps will prevent intruders from changing your BIOS settings (given the important exception that I still haven’t got around to yet). Step 3 is to Enable the Power-On Password. This is an additional layer of protection that prevents the computer from proceeding to the power-on sequence (this is prior to the boot sequence) without the appropriate password. Step 4 is to password protect the hard disk. This will prevent access to the hard disk on that computer unless the password has been entered by the user or supervisor. Step 4 just raises the bar a bit more. This will not prevent someone from physically removing the hard disk(s) for off-site analysis with Encase, but when combined with Operating Systems features such as XP’s Encrypted File System and Cipher disk wiping, this will afford about as much protection as you can get.

Modern computers are commonly designed to be turned on remotely from a network connection. Typically this is called “wake on LAN.” Rationale: most people turn off computers for a reason. If there’s no reason to allow your computer to be turned on remotely, the “wake on LAN” feature should be disabled as it invites derring-do.

Unless absolutely necessary, disable floppy drive support in the BIOS. Floppy drives are a dinosaur technology and create a security vulnerability that most can live without. I also disconnect the floppy disk from the controller for additional safety. Also, take all removable media out of the BIOS boot sequence of the computer. That way, the only way to boot the computer is via the local hard disk and the OS you actually installed.

Needless to say, enable all BIOS logging and review the logs systematically to see who’s trying to access your holy grail.

THE BIG “E”

You’ve been patient enough. Remember the exception I told you about? Well, it’s a biggie.

Generally, BIOS settings are stored in non-volatile memory on the motherboard (e.g., CMOS with lithium battery backup is the vanilla version). Well, the computer manufacturers have to have a way of undoing anything that you may have done to turn your new Godzilla Rage I, Pentium X computer with racing stripes into a boat anchor. Hence, the CMOS can be reset to the factory default (everything is open/on) with a simple jumper. This requires about as much sophistication as hotwiring your 1950 Ford Coupe. All SYSADs, hackers and their wannabes either know how to do this, or can easily find out on the Web. Does this mean that all of our advice is for nought? No! Not at all. Though a big potential problem, it’s a minor practical one.

The reason is that “jumping the BIOS” lacks both subtlety and covertness. Hackers, privacy intruders, those who engage in industrial espionage, identity thieves and the like are really not into advertising their activities. If a BIOS has been properly configured to begin with, a BIOS reset is a big, repeat BIG, red flag to the authorized user. Hmmm. Yesterday, I had to type in my power-on password, but now I don’t. Yesterday, my floppy drive didn’t crunch when I started the computer, but now it does. You get the point. Detection of the BIOS reset doesn’t require much more than sobriety. Computer intruders and hackers are in the business of stealth – and BIOS resets are anything but stealthy.

So, perform the reality check and see how close your computer comes to being a BIOS bastion.

REALITY CHECK

Try this for a quick and dirty test of how secure your BIOS is. CAUTION: unless you’re familiar with the BIOS, remember to (a) Exit this program WITHOUT saving changes, and (b) make sure that you have a reliable SYSAD handy in case you get in over your head!. For comparison, the BIOS I’m looking at as I write this belongs to an IBM T40 notebook. Generally speaking, you select BIOS options by navigating with the arrow keys and then hitting <ENTER>. Normally, one moves up the BIOS tree by hitting <ESC>.