Manualshelf

HP Business Desktops BIOS

ManualsBrandsHP ManualsDesktopsHP Compaq dc7600 Convertible Minitower PC
12345678910
Securing trust
Each time the user turns on the computer, they need to know that the computer will function
predictably and reliably. The user also needs to know that no one has tampered with their sensitive
data. The system administrator wants to be assured that unauthorized changes are not made to the
computer configuration, even by individuals with user authorization.
The installed operating system (OS) probably provides some security functions designed for this
purpose, but, as the next section describes, this is not enough.
Preboot security is vital to OS security
Since the computer BIOS is the first operation to run at startup (pre-OS boot or preboot) and ultimately
controls which operating system software is loaded, BIOS preboot security is a vital link in total
computer security. Without BIOS preboot security, it is not difficult to subvert the security of the
installed operating system by booting to a different OS on removable media (such as CD, diskette,
USB key, etc). When a rogue OS is started on removable media, instead of the installed OS, the
security policies of the installed OS are not in force. This gives an unauthorized user (hacker) the
ability to examine and potentially compromise any data or stored security policies of the computer.
Tools such as ERD Commander exist just for the purpose of bypassing OS security and manipulating
OS security settings.
Installing a power-on password might be sufficient for the user to trust that no one else has accessed
their computer. However, to satisfy the system administrator that not even the owner of the power-on
password can boot from removable media, the system administrator can use the BIOS preboot
security features to select which devices are bootable. This can effectively prevent undesirable OS
loads from removable media (such as diskette or USB external devices). In addition, computer I/O
ports can also be locked down and hidden. In the hidden state, no program has access to these ports,
not even the operating system. This can help prevent unauthorized removal of sensitive data.
Certain new systems (dc7600) also have a BIOS and hardware that will support the Secure Startup
feature of the Microsoft Longhorn OS. Secure startup used the TPM, BIOS TCG metrics, and logic in
the OS loader to lock the boot partition to the specific machine and known copy of Longhorn.
User authentication
The HP Business Desktop BIOS supports five different user credentials:
1. Setup password—Sometimes called the administrator password, controls updates to BIOS
options (F10 setup) and BIOS configuration and can be used in place of the power-on password to
boot the computer (administrator authentication)
2. Power-on password—controls booting into the Operating System (user authentication)
3. Two-Level DriveLock password—controls access to HDD contents using industry-standard
ATA security features on supported hard drives and drives installed in MultiBay slots. This password
may be set to match the power-on password, in which case the BIOS will automatically unlock the
HDD using the power-on password typed by the user. NOTE: DriveLock is only supported on hard
drives and Multibay drives that provide the ATA security features.
4. User Smart Card—When enabled, takes the place of the power-on password
5. Administrator Smart Card—Takes the place of the setup password
6. TPM Preboot Authentication—Uses the TPM to authenticate the user via TPM user credentials
9