New security policy locking BIOS to prevent illegal users

We have discussed many security protection fields and introduced many tools to protect local resources, in addition, I have explained and discussed the importance of preventing physical risks. But if the system falls into the hands of others, how should we protect the system?
First, let's assume who we are talking about as "others. We generally like to imagine what we encounter as "Enemies". They are agents who steal data (or money) for the Queen or country like Bond. But let's face the reality: the so-called "enemy" is probably the two inconspicuous guys around us. They are just dissatisfied with what you gave him or her) so they want to get more permissions.

These "malicious" users just want to test the security of the company's system to see if there are any vulnerabilities so that they can start a software program and make their work days more comfortable. They are not really "malicious", but if some of their free software becomes a trojan host, it may actually split your company's network and turn your network into a trojan country.

This is what you need to remember: many times, you have already faced your greatest threats-and they do not even have any malicious attempts. So how can you prevent such a situation from giving them physical access to your computer and preventing them from venting it?

In fact, the goal is to prevent users from starting with any other media except hard disks. There are many tools that can be used to start from a CD or USB device, so that users can modify the system administrator password or install other programs. This is the function that you must remove to prevent them from using such a tool.

To do this, you need to access the BIOS and lock it. Note that there are many different computer companies, so there are also many different major BIOS manufacturers.

What if you don't know how to access the BIOS of a computer? You can search the Internet to find the "BIOS setting key for your computer brand" (for example, "Dell 6000 BIOS setting key ").

Because there are many different BIOS steps for different computers, we will only discuss the current computer: Dell flexibility E1705. to lock its BIOS, perform the following steps:

1. at startup, press the [F2] key to go to BIOS settings.

2. Select "Boot Sequence" in the system )".

3. Check that "Internal HDD (Internal hard disk)" is the only boot device.

4. Press the [Esc] key and select Save )".

5. Under Security, select Admin Password )".

6. Specify a system management password (using a password can prevent those who attempt to change the startup sequence through the BIOS from entering the BIOS, but will not impede normal operations)

This is done! Unless a user obtains the BIOS system management password, he or she will not be able to change the boot device, but can only start from the hard drive provided by the company honestly, nothing else is possible.

In addition, some manufacturers also bind some Enterprise Tools to their servers for remote management of BIOS options. If so, then you don't have to go to each computer one by one to make the above security changes. You can do this remotely.

Summary

The launch management password utility and software kits are everywhere, so it is very important to make sure they cannot run on your network. You can prevent users from putting your network at risk due to negligence-simply add an additional step in your security policy.