Secure Your Computer With a BIOS or UEFI Password - - Windows Tips and Tricks with Geek

Friday, August 6, 2021

Secure Your Computer With a BIOS or UEFI Password


How It Works

Let’s say you’ve followed good security practices and have a password set on your Windows user account. When your computer boots, someone will have to enter your Windows user account password to use it or access your files, right? Not necessarily.

The person could insert a removable device like a USB drive, CD, or DVD with an operating system on it. They could boot from that device and access a live Linux desktop — if your files are unencrypted, they could access your files. A Windows user account password doesn’t protect your files. They could also boot from a Windows installer disc and install a new copy of Windows over the current copy of Windows on the computer.

You could change the boot order to force the computer to always boot from its internal hard drive, but someone could enter your BIOS and change your boot order to boot the removable device.

A BIOS or UEFI firmware password provides some protection against this. Depending on how you configure the password, people will need the password to boot the computer or just to change BIOS settings.

Of course, if someone has physical access to your computer, all bets are off. They could crack it open and remove your hard drive or insert a different hard drive. They could use their physical access to reset the BIOS password — we’ll show you how to do that later. A BIOS password still does provide extra protection here, particularly in situations where people have access to a keyboard and USB ports, but the computer’s case is locked up and they can’t open it.

How to Set a BIOS or UEFI Password

These passwords are set in your BIOS or UEFI settings screen. On pre-Windows 8 computers, you’ll need to reboot your computer and press the appropriate key during the boot-up process to bring up the BIOS settings screen. This key varies from computer to computer, but is often F2, Delete, Esc, F1, or F10. If you need help, look at your computer’s documentation or Google its model number and “BIOS key” for more information. (If you built your own computer, look for your motherboard model’s BIOS key.)

In the BIOS settings screen, locate the password option, configure your password settings however you like, and enter a password. You may be able to set different passwords — for example, one password that allows the computer to boot and one that controls access to BIOS settings.

You’ll also want to visit the Boot Order section and ensure the boot order is locked down so people can’t boot from removable devices without your permission.

On post-Windows 8 computers, you’ll have to enter the UEFI firmware settings screen through Windows 8’s boot options. Your computer’s UEFI settings screen will hopefully provide you with a password option that works similarly to a BIOS password.

On Mac computers, reboot the Mac, hold Command+R to boot into Recovery Mode, and click Utilities > Firmware Password to set a UEFI firmware password.

How to Reset a BIOS or UEFI Firmware Password

You can generally bypass BIOS or UEFI passwords with physical access to the computer. This is easiest on a desktop computer that’s designed to be opened. The password is stored in volatile memory, powered by a small battery. Reset the BIOS settings and you’ll reset the password — you can do this with a jumper or by removing and reinserting the battery.

This process will obviously be more difficult if you have a laptop you can’t open up. Some computer models may have “back door” passwords that allow you to access the BIOS if you forget the password, but don’t count on it.

You may also be able to use professional services to reset passwords you forget. For example, if you set a firmware password on a MacBook and forget it, you may have to visit an Apple Store to have them fix it for you.

BIOS and UEFI passwords aren’t something most people should ever use, but they’re a useful security feature for many public and business computers. If you operated some sort of cybercafé, you’d probably want to set a BIOS or UEFI password to prevent people from booting into different operating systems on your computers. Sure, they could bypass the protection by opening up the computer’s case, but that’s harder to do than simply inserting a USB drive and rebooting.

No comments:

Post a Comment