Protecting the BIOS
Unlike living creatures, a computer has no inherent knowledge of itself; it must be told what its input and output devices are before it can function properly. The computer's Basic Input Output System, or BIOS, stores this information and loads it into memory as the computer boots up. Information about the computer's hard drive, floppy drive, mouse, processor, system time, RAM and much more is loaded from the BIOS program each time the power is turned on.
This critical part of your public access computer must be protected. It doesn't matter whether or not a person means to do mischief. In the case of a PC's BIOS, accidental change is just as bad as deliberate change. Tampering with the BIOS can render your computer incapable of booting. Furthermore, there are some particularly nasty computer viruses that can be spread from infected floppy disks left in the computer. The only way to prevent this is to modify the BIOS so that the computer does not have the ability to read from the floppy disk as it boots.
Accessing the BIOS
If the monitor is on when your computer is first turned on, you will see your BIOS in action (unless the computer's manufacturer has decided to have the BIOS display the company's logo instead). At the bottom or top of the screen you may see instructions such as "Press DEL to access setup." If you press the keys given in the instructions, you will see a screen with a DOS-like interface. This is the first screen of your computer's BIOS program.
Depending on the computer and BIOS manufacturer, the keystrokes needed to access the BIOS setup will vary. They are almost always F2, F10, or the DEL key. You should consult the computer manual for specific instructions on accessing and using the BIOS setup.
Basic BIOS Security
There are two main areas in the BIOS Setup program that you will need to work with in order to protect your computer's BIOS settings.
- Passwords - protect the BIOS Setup program from unauthorized users
- Boot Sequence - alter the computer's boot sequence to prevent someone from booting to a floppy disk, flash drive or CD-ROM
Most computers' BIOS Setup programs have some sort of password facility; only the oldest BIOS setup programs omit this feature. There are usually two levels of password protection in a BIOS setup: the Administrator password and the User password. The Administrator password is sometimes called the System or Supervisor password. Some older BIOS require both be set simultaneously. The Administrator (or Supervisor or System) password protects against unauthorized users (like your patrons) running the BIOS Setup program and changing any settings. The User password protects against unauthorized booting of the computer by requiring a password to even start the computer. With a User password set, a patron wouldn't be able to use the computer after reboot until the proper user password is supplied.
It is important to note that some newer library technologies such as reservation systems and "rollback" security software depend upon continuous reboots. Setting a user password is uncommon for public access workstations, and doing so may try both your patrons' and your staff members' patience.
To Set BIOS Passwords
- Start your computer and enter the BIOS Setup keystroke(s).
- Look for a "Password" or "Security" menu item. Highlight it and press Enter.
- Type in the password of your choice. You will be prompted to re-enter it to confirm.
- Don't shortchange your security with poor passwords! Use a password that has a combination of upper- and lower-case letters and numbers. Note: do not use any special characters as this will render the password unusable!
- Store the password in a safe place. If you forget it, you will have to reset it manually.
- Exit the BIOS Setup program and save your changes.
One of the worst types of viruses are "boot viruses." They deliberately attack the sectors of a hard drive that store information that the operating system uses to boot the computer up. They are spread when a computer is booted from an infected floppy disk. As the computer reads the boot instruction off the infected virus, the virus spreads throughout the PC. Boot viruses can be notoriously difficult to eradicate. For this reason, it is important to disable public access computers from booting from the floppy drive.
Another reason to prevent a workstation from being booted from a floppy disk is that a user can gain control of the computer by changing the way it boots up. Preventing a computer from booting from a floppy is easy and should be a top priority.
To Change the Boot Sequence
First, you should alter the BIOS so it skips the floppy drive and CDROM drive when booting. This way it looks first at the hard drive for an operating system and will only boot from the hard drive—not the CDROM drive or floppy drive.
- Start your computer and enter the BIOS Setup keystroke(s).
- Look for a "Boot" menu item. This may either be a list of drives or a single entry.
- Drive List - The order of drives checked by the BIOS can be changed by highlighting the floppy drive and then pressing the specified key to move it down the list. Usually moving the floppy to second position is sufficient.
- Single Entry - The order of drives is listed in a single entry (for instance, A,C,CDROM). The order is changed by highlighting the item and pressing arrows or Page Up or Page Down keys to display other Boot Sequence choices. Look for C,A or C,A,CDROM.
- Save your changes and exit the BIOS Setup program.
Resetting a BIOS Password
There comes a time in every System Administrator's life when s/he forgets a password. Forgetting a BIOS password that has not been written down somewhere means one of two things: either you won't be able to access the BIOS Setup program any longer to make changes, or—worse—you will not be able to boot the PC.
Fortunately, computer manufacturers have given us a way out. All it takes is a little fortitude. Here's how to do it:
- Find the computer manual. Note: Save time, and leave your ego at your desk. Find the manual and take it with you!
- Collect an anti-static wrist strap and a screwdriver, and head for the computer in question. An anti-static wrist strap is a clever device that painlessly grounds you while you are working on the bowels of the computer. If you are not grounded, a single spark of static electricity could ruin the computer. You can also ground yourself by touching a piece of metal before beginning, but erring on the side of caution and using a wrist strap is best.
- Open the computer, and ground yourself using the anti-static wrist strap.
- Using the manual for reference, locate the method for resetting the BIOS. This can be done in either of two ways.
- Locate the computer's CMOS battery and remove it. It sometimes takes a surpising amount of pull to dislodge it; some also have small metal clips holding them in place that need to be slid out of the way first.
- Some computers don't have a CMOS battery. Their BIOS is reset by moving a jumper (a little piece of plastic that makes a connection between two pieces of metal sticking out from the motherboard) from one position to another and then booting the computer. After the computer is booted this way, the BIOS is reset, but you must remember to replace the jumper back to its original location.
- Boot the computer, and run the BIOS Setup program.
- Reset the password, and this time, write it down and store it in a safe place!
Next: Microsoft Policies