3
On most computers we can press a key, in my case F12, to access the boot menu where we can choose to boot from another drive, such as the CD or another HD.
I want to eliminate that possibility or ask to be asked a password when I tried to boot a computer that way.
I do not want the computer to ask a password when it boots normally to Windows, but only if someone tries to access the boot menu.
Thank you.
elvispt
Posted 2009-12-10T16:01:38.930
Reputation: 400
13
You can try assigning a BIOS / administration password as the boot menu may be covered by that, however, if this doesn't work and you do not want a boot password, I do not think there will be any way to achieve what you want.
William Hilsum
Posted 2009-12-10T16:01:38.930
Reputation: 111 572
4
But Bios password doesn't improve security much. If you need to protect your hard drive from access from another Os only secure option is disk encryption (for full security it should be combined with TPM),
Maciek Sawicki
Posted 2009-12-10T16:01:38.930
Reputation: 1 072
1i'm not sure that's his goal, but you're right about the security picture here. – quack quixote – 2009-12-10T16:51:16.630
Indeed it's not my goal. If I wanted total security I would just put a password so that nobody would access the computer, but I just want to prevent access to the boot menu or password protect it. – elvispt – 2009-12-10T18:40:58.687
Encrypting the hard disk without also protecting the BIOS doesn't work. A recently-published exploit shows that an attacker can install a keylogger even if they can't decrypt the hard drive. The keylogger then steals the password for the drive. It's the "Evil Maid" exploit if you want to search for it. – CarlF – 2009-12-15T04:20:34.213
BIOS password wouldn't protect against it. Attacker can remove hard drive and install key logger. Please read Joana's Rutkowska article again. Only "good enough" protection against that attack is TPM (it's not 100% bullet prof but TPM hacking required expensive laboratory hardware). – Maciek Sawicki – 2009-12-15T10:40:48.657
1
On one of my machines, the BIOS boot password is not effective until I change TWO settings:
1. Set an administrator password
2. Set something like "BIOS changes require Password" to "Boot requires Password"
Sorry for not having the correct wording, I am not in front of the BIOS (obviously). This accomplishes BIOS Then F12 or other buttons do not work any more. Of course the bios-reset jumper still applies...
Thomas
Posted 2009-12-10T16:01:38.930
Reputation: 272
0
It can be done. The only reason I know this is because I just purchased a used computer. The woman who had this computer knew her stuff. I am using a guest account currently on the computer. Her boot, bios, and command prompt settings are locked down. I can access command prompt in safe mode and monitor the majority of the profile information. However, if I attempt to change anything it just tells me denied. I have two programs that can get around her passwords but one will have to access the boot menu to load. This will not work. the only other option I have is to force her bios password with another program, if I can get that to work even. This woman went through a lot of trouble just to protect this computer.
DespondentNinja
Posted 2009-12-10T16:01:38.930
Reputation: 1
Assuming you're getting in touch with the previous owner to fix this, please edit your post to explain what the previous owner did. In its current state this post is not an answer, and should have been a comment. Thanks. – Arjan – 2016-03-05T11:44:04.750
0
Windows bootloader does not support password protection at all. You'll have to install GRUB bootloader in order to have this feature.
kolypto
Posted 2009-12-10T16:01:38.930
Reputation: 2 861
Wouldn't accomplish what I'm after. :) – elvispt – 2009-12-15T15:21:35.643
0
If you want to protect the system from attackers, physical security is your best bet. Put a physical lock on the case like the old IBM systems, and the attacker would have to open the system and switch cables to do anything.
CarlF
Posted 2009-12-10T16:01:38.930
Reputation: 8 576
0
Very low tech, not ideal, circumventable, but possibly very effective for a typical user and most applications: Physically render the F12 key on the keyboard non-functional. Pop open the keyboard and sever the connection that key has or otherwise interfere with the contact while allowing normal motion. F12 isn't exactly a commonly used key.
DHayes
Posted 2009-12-10T16:01:38.930
Reputation: 2 103
what an ugly hack... i like it. it might do the trick. but getting around it is just as low-tech: plug in a different (non-hacked) keyboard. – quack quixote – 2009-12-18T05:25:24.340
0
simply put, this cannot be done.
unless, of course, you find a BIOS editor compatible with your BIOS and brace yourself for the chance of bricking it.
2BIOS admin password or nothing... ;) Sorry – Jakub – 2009-12-10T16:21:19.750
If you set a BIOS password and that doesn't protect the boot menu, you can normally set the boot order to only allow your main hard drive. This is of course dependent on the motherboard and what options are allowed. This would only protect against idle attempts to boot alternate media. If the computer is stolen, this measure is easily defeated. All you have to do is use the reset CMOS jumper or remove the battery. Something that take 10 seconds once you gain access to the inside of the machine. – Doltknuckle – 2009-12-10T23:12:44.410
No matter the boot order I choose on the BIOS, that can easily be circumvented by pressing F12 right after POST. – elvispt – 2009-12-10T23:33:27.910
@Doltknuckle, @elvispt, as I said, this would be the only way to do it - If the BIOS doesn't support password protecting it, you are out of luck.... Unless you want to download a BIOS update and hex edit it to get rid of the boot menu all together.... but I wouldn't recommend it! – William Hilsum – 2009-12-11T07:34:19.603
Set the BIOS setup password, then DISABLE all but your main hard drive as boot options in the BIOS. Don't just change the order, you need to disable/remove the other options. Your BIOS should then prompt for a password if one of the removed options is chosen from the boot menu. – pipTheGeek – 2009-12-15T18:29:35.873
1@pipTheGeek, that is pretty much what I wrote - but again, as I said, password on boot menu is BIOS dependent. – William Hilsum – 2009-12-15T18:31:14.687
I'm accepting Wil's answer. Not being albe to do it, is also an anwswer. A correct one in this case. Thanks folks. :) – elvispt – 2009-12-20T13:38:17.150