5 Tips to Help Tighten your Security Using BIOS/UEFI

In the olden days of PC’s, BIOS or “Basic Input-Output System” was something only the nerdy computer geeks were aware of, and the typical user never really went in there, or ran any kind of updates for it, unless explicitly instructed to by a support professional. Usually getting into BIOS is achieved by pressing “Delete,” “F1” or maybe some other “F-key” upon booting the machine, prior to seeing the Windows splash screen.

OK, maybe it’s still pretty much like that today, even though BIOS has since been replaced by the more secure UEFI (Unified Extensible Firmware Interface).  But, I hope that we can change these old stereotypes and get more people interested in how their devices actually work, because there are some important settings hidden in here that users should be aware of. Let’s examine a few things you can do with the UEFI to further secure your device.

1. Updates – UEFI is just another operating system, basically, running underneath Windows (or whatever OS you prefer). You can usually find the latest updates on the manufacturer’s website under the Drivers/Downloads section. Note that sometimes UEFI is still referred to as BIOS, even though this is technically incorrect. If you’re like me and have a Surface product by Microsoft, updates to UEFI will come through Windows Update.

2. Disable unneeded stuff – Do you actually use your device’s webcam &/or microphone? How about FireWire (1394)? Do you have a laptop with a PCMCIA or ExpressCard, but have never used it? All of these “capabilities” represent corresponding vulnerabilities on your device. Feel free to disable anything you aren’t using and reduce your attack surface–it is usually possible to do so through the BIOS/UEFI settings.

3. Enable TPM – The Trusted Platform Module (TPM) is available on many modern devices (and in some cases it will be on by default–but it’s worth checking).  This little chip is super important, as it stores cryptographic information specific to your device, which is used for special security functions like enabling encryption via BitLocker, authentication with Windows Hello, and more!

4. Pre-boot password – If you’re extra paranoid, and want to add another password to your device, which is required before Windows even begins to load, then you can use a pre-boot password. Sometimes this will be called a “System” password or “HDD” or “Hard disk” password. You can also add a password to the BIOS/UEFI itself (this is usually different from the pre-boot password).

5. SecureBoot – If this option is available for your Windows device, then you should enable it (many modern devices will have it enabled by default). Full disclosure, even SecureBoot has a known flaw that allows attackers to bypass its protections if they gain physical access to the device, but that doesn’t mean you should ignore it. Essentially SecureBoot is a chain of trust that ties the Operating System (Windows) back to the firmware / UEFI, and that trust prevents certain malware (bootkits, rootkits, etc.) from loading non-OS components under the hood before Windows can notice.