Windows 8 Why is BIOS insecure on new Windows 8 laptop?

flroots

New Member
Joined
Nov 29, 2012
I just received my new Dell Inspiron 15R-5520 64 bit laptop running Windows 8. It came with a new BIOS that supports both UEFI and Legacy. Compared to the BIOS on my old Dell Inspiron laptop it seems very insecure. I'm referring to access to the boot order. In my old BIOS I could set a password which was necessary for changing the boot order and either enabling or disabling devices within the boot list. Thus one could select the HDD and disable all other devices such as CD/DVD and Flashdrives. The new BIOS includes passwords as well, but they don't restrict access to the boot order and there doesn't seem to be any way to disable devices from the boot list. In the case that my laptop is stolen it's nice to prevent the thief from quickly booting off a CD or flashdrive and accessing all my files, etc. Can anyone explain why the new BIOS removed this seemingly important security feature?
Pete
 
Last edited by a moderator:
The BIOS doesn't change for Windows 8, the BIOS is still the BIOS, unless you've updated it. Can you show us a screenshot of what you're talking about?

Perhaps the bootmgr changed, but not much from that.
 
The BIOS doesn't change for Windows 8, the BIOS is still the BIOS, unless you've updated it. Can you show us a screenshot of what you're talking about?

Perhaps the bootmgr changed, but not much from that.
Thanks. I wasn't suggesting that the BIOS changed because of Windows 8. It changed because this new technology called UEFI has been incorporated into it. As mentioned, it seems to have lost the security features of the BIOS on my last Dell Inspiron. I was wondering why they removed what I considered an important security feature?
Pete
PS I'm not sure how to do a screenshot while in the BIOS
 
If this is true (I haven't gone to look), it appears that this is not the only bad thing about UEFI...

New vicious UEFI bootkit vuln found for Windows 8 ? The Register

It seems it's childsplay on the security front on many other aspects.
Thanks. I've now managed to do a clean install of both Windows 7 and 8 to UEFI/GPT partitions on my new Dell Inspiron 15R-5520 laptop. I've confirmed that the new UEFI BIOS is very insecure. One can simply press F12 during boot up and change boot order to any of the following without having to enter my set password:
a. UEFI with secure boot
b. UEFI without secure boot
c. Legacy without secure boot​
As mentioned above, this would have been impossible with my older Dell Inspiron. Also, Windows 7 won't boot with secure boot since the BIOS doesn't recognize it. It will boot with UEFI without secure boot. Also, your referenced article doesn't inspire confidence either.
Pete
 
Let's go at this from another direction. On most Dell Laptops, you never really get into the bios, but only their bios setup utility. But when you enter a password which will lock access to the bios setup, what exactly does that do?

You mention being able to boot from a CD and access your system. On my system, you can disable the DVD drive as a boot device. Once you do that, will it still boot to a MBR DVD? On UEFI systems, removing the UEFI media may remove the entry in the bios and thereby remove any lockout. Is that happening?

But on my system, the options to boot with a type of boot, are not included in a Boot Device Menu. That option is set on the boot page and should not be accessible without using an F2 key during boot and a password. But I do not have your computer so I cannot check.

A secure boot condition for Windows 8 needs to have specific conditions fulfulled. You will not be able to boot to Windows 7 if you turn on secure boot for Windows 8, at least on my system you can't. I will assume that you new laptop was able to perform secure boots when you received it.

I have no way of knowing why Dell set up their systems the way they did. One factor might have been to achieve useability by the user and a desire to have a system that would not completely lock out the normal user. Hard drives can be removed from systems and read by other systems, so perhaps some security steps may not be worth the possible downside.
 
Let's go at this from another direction. On most Dell Laptops, you never really get into the bios, but only their bios setup utility. But when you enter a password which will lock access to the bios setup, what exactly does that do?

You mention being able to boot from a CD and access your system. On my system, you can disable the DVD drive as a boot device. Once you do that, will it still boot to a MBR DVD? On UEFI systems, removing the UEFI media may remove the entry in the bios and thereby remove any lockout. Is that happening?

But on my system, the options to boot with a type of boot, are not included in a Boot Device Menu. That option is set on the boot page and should not be accessible without using an F2 key during boot and a password. But I do not have your computer so I cannot check.

A secure boot condition for Windows 8 needs to have specific conditions fulfulled. You will not be able to boot to Windows 7 if you turn on secure boot for Windows 8, at least on my system you can't. I will assume that you new laptop was able to perform secure boots when you received it.

I have no way of knowing why Dell set up their systems the way they did. One factor might have been to achieve useability by the user and a desire to have a system that would not completely lock out the normal user. Hard drives can be removed from systems and read by other systems, so perhaps some security steps may not be worth the possible downside.
Thanks. I have set the admin password and that prevents me from changing certain parameters without entering the password. On the other hand, I can change the boot order, change from UEFI to Legacy and back, etc all without entering the password. The BIOS on my old Dell Inspiron would prevent any changes to boot order and enabling or disabling any bootable device without first entering the password. I can't imagine why that security feature was not carried forward to the newer UEFI/Legacy BIOS.

I can boot windows 8 in UEFI mode with secure boot since the signature for that OS is recorded in BIOS. I must boot Windows 7 in UEFI without secure boot since no signature exists for that OS. BTW, the security feature that should have been included wouldn't have reduced usability since the owner has the option to set a password or not. Prior to entering of password, all changes should be prevented IMHO.
Pete
 
Last edited by a moderator:
I think what I am getting at is the problem seems to lie in the Utility Dell gives you to change the Bios. I cannot get into my bios to change anything without a password. I can get a boot device menu, but there is no option for changing the type of boot, just the boot device.

Is there anything in the Dell interface that would allow you to hide certain options so as to make them not accessible without a password?
 
Last edited by a moderator:
I think what I am getting at is the problem seems to lie in the Utility Dell gives you to change the Bios. I cannot get into my bios to change anything without a password. I can get a boot device menu, but there is no option for changing the type of boot, just the boot device.

Is there anything in the Dell interface that would allow you to hide certain options so as to make them not accessible without a password?
Thanks. As explained everything related to boot order and selection of boot devices can be changed without entering any password ie, totally insecure. So far, I've received no explanation why they would choose to remove this level of security.
Pete
 
Back
Top Bottom