Hardware BIOS Configuration
Boot Options
The following are common security recommendations relating to the configuration of the BIOS for client and server machines. These recommendations are aimed at reducing the ability of unauthorized users compromising the physical systems. You should refer to the manufacturer's system manuals of each machine for detailed information about the available BIOS settings as they may vary for each machine.
To reduce the risk of unauthorized access to a server or workstation using various forms of bootable media (for example, USB devices, PXE Network and CD/DVD’s), we recommended that you change the permitted boot devices to only enable the local disk.
If the server hardware is using a Virtual environment (such as VMWare ESXi), then the local SD Card or Internal USB port may also need to be enabled to allow the system to boot correctly.
If more than one single boot device has been enabled, you should ensure that the boot sequence is correctly configure to give the local disk the highest priority access.
If the CD/DVD drive is required and is enabled as a boot device, you should ensure that the boot sequence for the CD/DVD drive is configure to a lower priority below that of the local disk to reduce the risk of unauthorized media running upon start-up.
We recommended that you disable one-time boot options from the start up menu. This provides an additional level of security to prevent users from bypassing any defined boot sequences within the BIOS.
We recommended that you disable “Boot Sequence Retry”. This prevents the system from attempting to retry boot devices without power cycling.
Integrated Devices
We recommend that you disable any integrated devices that are not be used as part of the default server role. This may include internal USB/SD card devices, PCI slots, PCIe slots, PCI-X slots and network cards.
BIOS Configuration Password Access
The majority of systems provide an option to configure a password to restrict access to the BIOS configuration.
We recommended that you define a Setup password, that is suitably complex, to prevent any system changes to the BIOS configuration.
We recommend that you keep a secure record of BIOS setup passwords in the event configuration changes need to be made.
Using a password within this setting prevents unauthorized access to the BIOS configuration (and in some cases the boot menu override), unless correctly entered after any power cycle event.