Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

S

StarkSA

28 Posts

129598

July 11th, 2012 13:00

Optiplex 790 with BIOS A13 - UEFI boot security issue

I'm staging Optiplex 790 devices for public use.

Test machine has BIOS version A13 installed.

In BIOS, General -> Boot Sequence, I've unchecked all devices on Legacy list except hard drive.  There are no UEFI devices listed.

With an Admin password set, if I boot and press F12, the Onboard NIC and CD/DVD still display, although they require the admin password to boot from.

 

Next, insert a bootable disk into CD/DVD drive, reboot and press F12

Now, a UEFI device for the CD/DVD drive is displayed in the list which does not require the Admin password.  Select this and the machine boots from the CD/DVD.

I've tried booting with disk in, press F12 and enter BIOS.

Under General -> Boot Sequence:

I've clicked on UEFI radio button;

Unchecked the (now-detected) DVD drive;

Apply;

Click on Legacy radio button;

Apply

Exit.

While disk is still in, reboot and press F12.  UEFI device displays and requires a password,

 

However, removing disk -> boot -> insert disk -> reboot -> press F12

UEFI device again displays and does not require an Admin password.

 

This is a HUGE security issue to us, as it allows anyone to boot off of an install disk or LiveCD/DVD.

I'm not finding any other BIOS settings to disable UEFI boot devices.

For several reasons, we don't want to set a System password.  It's just not practical or functional in our situation.

 

So, how do I disable booting from any possible UEFI device?

or, at least, require Admin Password?

 

TIA

Rick

 

speedstep

9 Legend

 • 

47K Posts

July 12th, 2012 08:00

Disable booting UEFI device and Disable changing CMOS without a password.

StarkSA

28 Posts

July 12th, 2012 13:00

As explained in the original post, this is impossible to do.

Rick

a178235

3 Posts

July 18th, 2012 18:00

I would agree that the lack of password protection for detected UEFI devices does appear to be a security issue. Ideally, I would think that the solution is that any detected UEFI boot devices obey the Legacy restrictions. For example, if the CD/DVD Legacy device is unchecked, then any detected UEFI entry for the CD/DVD would be display, but would require the password.

In order for UEFI Secure Boot to work, doesn’t the BIOS need to support it? I do not see any options in the 790 A13 BIOS to enable or disable this.

I would hope that Dell would address these issues in a latter BIOS version once Windows 8 has been RTM. Contact Dell and let them know your needs, as this would likely be something than many enterprise environments would want.

In the meantime, you could enable BitLocker and manually specify the Recovery Key with the following command and make it automatically unlock. This would make it much more difficult for someone to boot of external media and make changes to Windows. They could of course format the drive, install their own modified version of Windows, until Dell implements these UEFI boot restrictions.

manage-bde -on C: -recoverypassword 123456-123456-123456-123456-123456-123456-123456-123456

 

View More

View All

No Events found!

Top