Loading...
Please wait, while we are loading the content...
Similar Documents
Implementing a PC Hardware Configuration (BIOS) Baseline
| Content Provider | Semantic Scholar |
|---|---|
| Author | Fletcher, David R. |
| Copyright Year | 2020 |
| Abstract | High level operating system features such as patch management, full disk encryption, virtualization, and malware protection are increasingly reliant on properly configured Basic Input Output System (BIOS) firmware settings and support. Varying configuration settings complicate the implementation process and subsequent troubleshooting sessions. This paper presents a solution to these issues through implementation of a hardware configuration policy, a BIOS firmware features baseline, and hardware configuration standards. This is accomplished by folding hardware selection and configuration into comprehensive lifecycle, operations, and change management programs to ensure predictable support for required features. To support the development of necessary documentation a survey of typical BIOS firmware configuration options is presented. Security implications for each of these options are explored to identify settings that are both beneficial and detrimental to security. Finally, vendor options and support for BIOS firmware settings automation are explored. Implementing a PC Hardware Configuration (BIOS) Baseline 2 David R. Fletcher Jr, 6fletch9@gmail.com Introduction This paper provides a road map for implementation of the recommended phases identified in NIST SP 800-147, BIOS Protection Guidelines. NIST outlines a five phase process for organizations to follow in order to properly manage BIOS firmware and settings (Cooper, Polk, Regenscheid & Souppaya, 2011). However, they do not identify specific actions that an organization should take as a comprehensive management program nor do they address specific settings that may enhance or weaken overall system security. In an attempt to bridge that gap this paper will provide recommendations to develop a BIOS standardization policy, identify a BIOS baseline, and create BIOS settings standards. The overall goal will be integration of BIOS standardization into existing acquisition, life-cycle management, and operations programs. Vendor automation support for BIOS firmware deployment and settings will also be explored in an effort to streamline the process. This paper is not a panacea and cannot cover all of the various combinations of BIOS settings produced for each manufacturer and model. Examples of features and settings that both enhance and reduce security, functionality, and/or performance will be presented. The intent of these examples is to provoke the reader to investigate the particular makes and models employed in their organization. In addition, the reader is encouraged to research options for each employed BIOS package to define appropriate standards based on baseline features required by the organization. The automation examples presented in this paper are focused on Microsoft Windows operating systems in the enterprise. These systems currently have the largest market share and as such the greatest support for automation. Since the firmware settings are independent of the operating system, the principles presented will still hold true for other operating system software. The greatest limitation for non-Windows systems is available manufacturer support for automation on those specific platforms. Implementing a PC Hardware Configuration (BIOS) Baseline 3 David R. Fletcher Jr., 6fletch9@gmail.com Background NIST SP 800-147 recommends a process for proper BIOS firmware and settings management throughout the life of a computer (Cooper, Polk, Regenscheid & Souppaya, 2011). Other organizations such as the Center for Internet Security (CIS), the Defense Information Services Agency (DISA), and the National Security Agency (NSA) provide comprehensive guidance on hardening network devices and operating systems. In the interest of avoiding duplication of effort, the hardening guides published by the aforementioned organizations were reviewed for BIOS firmware settings recommendations. In the guides reviewed, the most common settings recommendations were restriction of the boot order to the primary operating system drive and that a BIOS administrator password is assigned. This is likely due to the myriad options that are presented as new motherboard and computer makes, models, and features are released. In addition, the intended role of the computer in the organization must be factored into configuration decisions. To understand the impact that BIOS configuration settings have on computer performance and security the role that BIOS firmware plays in a computer's operation must be explored. A computer's motherboard provides boot support and access to low level hardware settings through its BIOS firmware. At the most basic level the BIOS firmware loads device drivers, coordinates hardware self-tests, and prepares the computing environment for execution of an operating system. During this process, user selectable options are interpreted to determine the hardware and features that will be made available to the booting operating system (Mueller, 2013). As computing technology has advanced new features have been made available within the BIOS to support higher level functions which enhance processing capability, security, and increase system flexibility. Many of these settings can be used to protect the computing device and its stored data from malware, theft, and unauthorized access. However, as is usually the case, a small subset of options contradicts sound security practice. The Visible Ops Handbook and Visible Ops Security both advocate strong configuration management to produce a high-performing information technology Implementing a PC Hardware Configuration (BIOS) Baseline 4 David R. Fletcher Jr., 6fletch9@gmail.com organization. Both books employ a four phase approach to improving an organization’s performance. The Visible Ops Handbook deals with Information Technology Infrastructure Library (ITIL) implementation and producing a controlled work environment (Behr, Kim & Spafford, 2005). Visible Ops Security deals with integration of security into daily operations (Kim, Love & Spafford, 2008). Both approaches have key elements that can be used to support implementation of the NIST process. By integrating the phases identified in NIST SP 800-147 into the computing lifecycle an organization will realize benefits in the form of: An added layer in their defense-in-depth strategy Increased availability through reduced configuration variance A predictable operating environment The end goal of this effort is to develop a strategy to manage BIOS firmware settings and versions and to develop supporting documentation. Before this can be accomplished it would be wise to survey the landscape to identify the options and challenges that lie ahead. Evaluating BIOS Settings The first phase of Visible Ops Security suggests that an organization gain awareness of the current situation and integrate into change management (Kim, Love & Spafford, 2008). Evaluation of the current landscape with regard to BIOS firmware settings corresponds to this phase. Standardization would be a very difficult task to undertake without a comprehensive knowledge of the existing landscape. As a result, the implementing organization should evaluate the computer makes and models that have already been deployed (or are likely to be purchased) within their enterprise. This will allow the Change Advisory Board (CAB) to perform research and make informed decisions about the technologies that must be supported and the configuration options that must be evaluated. To illustrate the type of information an organization is likely to encounter examples are presented categorically as Standard, Security Enhancing, Application Supporting, and Potentially Hazardous. Implementing a PC Hardware Configuration (BIOS) Baseline 5 David R. Fletcher Jr., 6fletch9@gmail.com As these options are being evaluated it is important not to lose sight of the context in which the hardware will be employed. For instance, a standard network workstation will have different requirements than a server, a standalone workstation, or a telecommuter workstation. Without proper consideration, the functionality of deployed server platforms may be reduced or a telecommuting worker may be left with degraded capability out of simple oversight. Another issue to consider is determining the level of effort that will be placed into securing the equipment based on this context. Server and desktop BIOS can typically be reset by changing a physical jumper on the motherboard (Mueller, 2013). While a closed case is a deterrent for a normal user this is likely not the case for someone determined to reduce the security posture of the asset. Standard BIOS Settings 1.1.1. BIOS Administrator Password The BIOS administrator password restricts access to the BIOS setup utility. This functionality is also referred to as the supervisor or setup password on some firmware (Mueller, 2013). The BIOS administrator should have a password assigned if there is any hope of maintaining a standard configuration. The CIS, DISA, and NSA hardening guides were in agreement that this setting should be included as a basic operating system hardening step. This password should meet the standard password complexity requirements of the enterprise depending on the support the firmware provides. It is a good idea to test any selected password on a representative sample of computer and firmware combinations prior to implementation. This will ensure that any shortfalls can be addressed as early as possible. Support for password length and character set vary a great deal across manufacturers, makes and models. As such, it may be impossible to enforce long password lengths or use of special characters universally. Another consideration for the BIOS administrator password is how the password will vary across the enterprise. Standardizing the password across functional lines allows lower level administrators to easily manage systems but a single compromise requires a password change for all of th |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | https://www.sans.org/reading-room/whitepapers/basics/implementing-pc-hardware-configuration-bios-baseline-34370 |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
