HP Business Desktops BIOS
Securing startup
The power-on password, user smart card, and TPM preboot authentication functions as a user
authentication and boot access control mechanism. If this password is set or either smart card or TPM
preboot authentication is established, the user will be prompted to enter this password or smart card
on each startup and optionally on each restart. The startup process is halted if the correct password or
smart card is not entered. TPM preboot authentication uses the TPM user credential (passphrase) to
authenticate the user.
Device boot control is a series of settings that control which devices can be booted and in what order.
This feature is important to prevent subversion of the installed OS as described earlier. The settings in
this category are
1. Network Service Boot (enable/disable)
2. Removable Media Boot (enable/disable)
3. Remote Wake Boot Source (controls which device will boot on wakeup)
4. Boot Order (controls which devices can be booted and in what order)
5. USB port and mass storage controller disable (mentioned earlier)
6. DriveLock
Securing portable data
Computers that contain mobile technology hard disk drives used in MultiBay slots can protect the data
on those drives with a DriveLock password. The password is stored on the drive and the drive
firmware controls access so that the DriveLock security goes with the drive, not the platform. Each time
the computer is restarted, the drive will remain inaccessible until the DriveLock password is provided.
This drive locking mechanism is an industry standard (ATA–5).
It is recommended that the system administrator establish a master DriveLock password on each drive
and then allow the user to establish the user DriveLock password. This is the only way to recover a
drive if the DriveLock password is lost. The master DriveLock password provides a mechanism to clear
the user DriveLock password, if it is forgotten. Otherwise, the drive is rendered useless and
all data will be lost.
As a convenience to the user, the DriveLock password and power-on passwords (or smart card
credentials) can be set to match. In this case, the BIOS will use the Power-on password or smart card
credential to unlock the drive for the user without additional prompts. For the sake of security, there is
no copy of the DriveLock password permanently stored in any fashion in the BIOS. Of course, if the
power-on password and DriveLock passwords are set to match, then an encrypted version of the
DriveLock password is contained in the BIOS, since the power-on password is stored in the BIOS flash
memory. For this reason some users may choose to make their DriveLock password different from the
power-on password.
Smart cards
Using smart cards for user or administrator preboot authentication provides one of two benefits: ease
of use or multifactor authentication. In addition, the same smart card can hold OS user credentials.
If the administrator has enabled the use of smart cards in BIOS setup, the smart card will replace the
typed-in passwords. BIOS administrator authentication and user authentication are handled with two
separate smart cards: the user smart card and the administrator smart card. If smart cards are
enabled, the administrator smart card must be enabled first. After enabled the administrator smart
card, enabling the user smart card is optional.
When enabling the smart cards, the administrator has the choice of enabling multifactor
authentication, which requires a PIN (Personal Identification Number, a 4- to 10-digit number
required to enable smart card access), or single-factor authentication, which does not require a PIN.
Single-factor authentication is more convenient (only requires possession of the card), while multifactor
authentication is more secure (requires possession of the card and knowledge of the PIN). If single-
11