Big Security Risk with F8 Boot Menu.

Discussion in 'Asus' started by gg, Sep 14, 2006.

  1. gg

    gg Guest

    Hi all, I recently purchase a Asus motherboard model M2NPV-MX and
    updated to the latest BIOS. Do note that this problem could also apply
    to other motherboard model.

    My organization is planning to put this computer in a public area and
    security is paramount to us. I discover that by pressing the F8 key, a
    menu will appear allowing me to choose which boot device I want to boot
    from. The problem is that any user can come physically near the computer
    and plug a USB pen drive at the back of the computer, restart the
    computer, press the F8 key and boot from the USB (without password
    validation). Once successful, the user can then run programs to steal
    data, format the hard disk, etc...

    The BIOS password and the user password is in place, However the
    password is only required when entering the BIOS setup menu. Having the
    computer requiring a password every time is started is NOT suitable.

    In most circumstances, having the F8 option is great as it allow a
    convenient way to select which device I want to boot from. However in my
    circumstances, I want to DISABLE this feature or at least have password
    validation required to access it.

    I have look into the Bios without any success. Please help me. Thanks!
     
    gg, Sep 14, 2006
    #1
    1. Advertisements

  2. gg

    Jerry Guest

    <snip>

    Why does the case (or at least it's ports) need to be physically
    accessible to the public, surely if the computer it's self was locked
    into a suitably secure and ventilated enclosure there would not be
    the above risk or theft?
     
    Jerry, Sep 14, 2006
    #2
    1. Advertisements

  3. gg

    gg Guest

    Problem is putting the computer in a special enclosure will involve more
    money, was hoping to alternative solution.
     
    gg, Sep 14, 2006
    #3
  4. How much would it cost for the computer to be stolen? If you`re not able to
    stop someone plugging a USB drive into it, then you won`t be able to stop
    someone grabbing it and running off. Surely this would be just as big a
    security risk, and more expensive to boot.
     
    Simon Finnigan, Sep 14, 2006
    #4
  5. gg

    Craig Sutton Guest

    Open the case and disconnect the USB header cable
     
    Craig Sutton, Sep 14, 2006
    #5
  6. gg

    Jerry Guest

    How would you do that when USB headers on built into the mainboard, I
    suppose it would be possible to disable them in BIOS but that might
    not stop someone resetting them and it would also mean that wanted
    USB peripherals will not work.
     
    Jerry, Sep 14, 2006
    #6
  7. Can you disable the USB ports in the BIOS?

    -Philip
     
    Philip Wright, Sep 14, 2006
    #7
  8. As one of my instructors used to say "If you can touch
    the case then it is not secure.". If someone has the time
    and opportunity to plug in an unauthorized USB device and
    reboot the computer they would also have time to open the
    case and reset the CMOS (and passwords). You might try USB
    port locks (hardware) if you don't need any USB ports.

    -Philip
     
    Philip Wright, Sep 14, 2006
    #8
  9. gg

    Bill Guest

    <nsip>

    Turn off the USB ports in the bios; then password the bios.
    Don't use an easy password.

    Bill
     
    Bill, Sep 14, 2006
    #9
  10. gg

    Geoff Guest

    My a8v does not work that way. After the post, the next thing asked for is
    the password.

    However, if someone really wanted to break in, there are so many ways to do
    it, it is silly.

    Back when tech tv was worth watching, they showed some of the methods. One
    was a tiny buffer that goes between the keyboard connector and the computer.
    Records everything you type, including passwords, etc.

    -g
     
    Geoff, Sep 15, 2006
    #10
  11. gg

    Kyle Guest

    Pry the F8 key cap off the keyboard. Better yet, open the keyboard
    case up and either cut the runners to the f8 key or unsolder the
    switch and remove it. I note that cutting the runners might be a bit
    more technical since one could cut the wrong runners, so be careful if
    you try that approach.

    --
    Best regards,
    Kyle
    | Problem is putting the computer in a special enclosure will involve
    more
    | money, was hoping to alternative solution.
    |
    | Jerry wrote:
    | >> My organization is planning to put this computer in a public area
    | > and
    | >> security is paramount to us. I discover that by pressing the F8
    | > key, a
    | >> menu will appear allowing me to choose which boot device I want
    to
    | > boot
    | >> from.
    | > <snip>
    | >
    | > Why does the case (or at least it's ports) need to be physically
    | > accessible to the public, surely if the computer it's self was
    locked
    | > into a suitably secure and ventilated enclosure there would not be
    | > the above risk or theft?
    | >
    | >
     
    Kyle, Sep 15, 2006
    #11
  12. gg

    Jerry Guest

    How would that stop someone swapping keyboards?...
     
    Jerry, Sep 15, 2006
    #12
  13. Chances are, your BIOS has two password levels. SUPERVISOR and USER.

    Enter your SUPERVISOR password to protect the BIOS.

    Set USER ACCESS LEVEL to NO ACCESS, no password is necessary, save and exit.
     
    Robert Sudbury, Sep 15, 2006
    #13
  14. gg

    gg Guest

    Thanks for all of the suggestion, disabling the USB device is not
    suitable because I need the USB for some device.

    I was hoping Asus BIOS programmer will take note of this and help me
    program a new BIOS version that will allow me to disable the feature.

    I try it on various other motherboard manufacturer and all of them
    either ask for a password (if you set a bios password) or allow you to
    disable USB mass storage device support. Only Asus allow such an easy
    way to boot from any device without regards to security, I can’t believe
    Asus actually overlook this.

    Can you tell me how to contact Asus BIOS programmer, because I doubt
    calling Asus technical support will help.
     
    gg, Sep 18, 2006
    #14
  15. If you've protected your BIOS with a SUPERVISOR password, then the USER
    access to the BIOS is enabled with a blank password. F8 boot time menu is
    now available.

    Setting a password for USER access to the BIOS still leaves the F8
    temptation. The easiest thing to do is simply set the BIOS USER access
    level to NO ACCESS, then F8 goes bye bye.
     
    Robert Sudbury, Sep 18, 2006
    #15
  16. gg

    Jerry Guest

    What the OP is attempting to build is a 'Kiosk' system, non of these
    systems that I've ever seen allow access to the physical case, if one
    has an unsupervised system case there will be nothing for someone who
    want to do harm from opening it and resetting the CLRTC.
     
    Jerry, Sep 18, 2006
    #16
  17. True, but his immediate desire and the point of the ^^^ header up there, is
    to remove the F8 boot menu option. This'll do that.
     
    Robert Sudbury, Sep 18, 2006
    #17
  18. gg

    tcsenter Guest

    The answer posted to your thread at Anandtech Forums:

    [begin quote]"Disable detection/support for those boot media you do not
    wish to show up in that menu. For USB drives and sticks, disable USB
    Mass Storage support, and they won't show up in that boot popup menu
    anymore either."[end quote]

    You should have purchased an OEM motherboard marketed towards corporate
    and business PCs, not a retail motherboard aimed at consumer market
    multimedia PCs.

    Intel has several offerings in this area with support for Intel's BIOS
    customizer that allows system builders and integrators to
    enable/disable or hide access to numerous settings and options, as do
    some industrial PC (IPC) motherboards.

    Pick the right tool for the job or perhaps you should leave these
    decisions to someone who knows how to.
     
    tcsenter, Sep 18, 2006
    #18
  19. gg

    Jerry Guest

    Ouch!
     
    Jerry, Sep 18, 2006
    #19
  20. gg

    asdf Guest

    In the bios can't you disable the boot from USB! I don't have this
    mobo, but it seems like many new computers allow you to remove the boot
    from option.
     
    asdf, Sep 19, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.