WEBVTT 1 00:00:00.000 --> 00:00:01.560 In this lesson, we're going to explore 2 00:00:01.560 --> 00:00:02.730 some of the security features 3 00:00:02.730 --> 00:00:05.100 inside of the BIOS and the UEFI. 4 00:00:05.100 --> 00:00:07.200 In addition to providing protections on our network 5 00:00:07.200 --> 00:00:09.120 and in our operating system environment, 6 00:00:09.120 --> 00:00:10.740 we also need to consider the security 7 00:00:10.740 --> 00:00:13.320 of our pre-operating system environment. 8 00:00:13.320 --> 00:00:14.520 This is the area of the computer 9 00:00:14.520 --> 00:00:16.560 that can be attacked during the bootup phase, 10 00:00:16.560 --> 00:00:18.720 and therefore, the bootloader protections 11 00:00:18.720 --> 00:00:22.290 must be considered, including the BIOS and UEFI passwords, 12 00:00:22.290 --> 00:00:24.900 the secure boot process, and the setting of permissions 13 00:00:24.900 --> 00:00:27.030 on your motherboard's USB ports. 14 00:00:27.030 --> 00:00:29.700 Remember, the BIOS and UEFI are two different types 15 00:00:29.700 --> 00:00:32.430 of firmware that's used in our computers to assist us 16 00:00:32.430 --> 00:00:35.730 during the loading and booting up of our operating system. 17 00:00:35.730 --> 00:00:38.610 Each computer can have either the BIOS or the UEFI in it, 18 00:00:38.610 --> 00:00:39.870 but not both. 19 00:00:39.870 --> 00:00:42.300 The BIOS is the basic input/output system 20 00:00:42.300 --> 00:00:44.880 and it's a firmware interface that initializes hardware 21 00:00:44.880 --> 00:00:47.790 for an operating system in order for it to boot up. 22 00:00:47.790 --> 00:00:49.980 The computers that rely on BIOS are going to use 23 00:00:49.980 --> 00:00:53.550 a master boot record, or MBR, to hold their boot information 24 00:00:53.550 --> 00:00:56.070 and identify the partitions of a given hard drive 25 00:00:56.070 --> 00:00:58.320 that contain the operating system to load. 26 00:00:58.320 --> 00:01:01.980 The BIOS is the older, more legacy type of firmware. 27 00:01:01.980 --> 00:01:04.560 UEFI, or the unified extensible firmware initiative, 28 00:01:04.560 --> 00:01:07.170 on the other hand, is a newer type of firmware. 29 00:01:07.170 --> 00:01:09.660 The UEFI is a type of system firmware that provides support 30 00:01:09.660 --> 00:01:12.690 for 64 bit CPU operations at boot time, 31 00:01:12.690 --> 00:01:15.660 a full graphical user interface and mouse operations at boot 32 00:01:15.660 --> 00:01:17.520 and better boot security. 33 00:01:17.520 --> 00:01:19.920 Computers that rely on UEFI are going to use a GUID 34 00:01:19.920 --> 00:01:24.120 partition table known as GPT to hold their boot information. 35 00:01:24.120 --> 00:01:26.160 UEFI provides the ability to access and boot 36 00:01:26.160 --> 00:01:28.740 from disks over two terabytes in size and provides 37 00:01:28.740 --> 00:01:31.470 CPU-independent architecture and drivers, 38 00:01:31.470 --> 00:01:33.960 as well as a pre-OS environment that can include 39 00:01:33.960 --> 00:01:36.840 network capability and web browsing access. 40 00:01:36.840 --> 00:01:39.900 Overall, UEFI is newer and more advanced than BIOS 41 00:01:39.900 --> 00:01:42.150 and provides additional security and integrity checks 42 00:01:42.150 --> 00:01:45.540 during the boot process, including secure boot. 43 00:01:45.540 --> 00:01:48.270 Now, the BIOS and UEFI can be protected 44 00:01:48.270 --> 00:01:50.700 using a few different types of passwords, too. 45 00:01:50.700 --> 00:01:52.740 This includes the supervisor, administrator, 46 00:01:52.740 --> 00:01:56.010 or setup password, the user or system password, 47 00:01:56.010 --> 00:01:58.470 and the storage or hard drive password. 48 00:01:58.470 --> 00:02:00.930 The supervisor, administrator, or setup password 49 00:02:00.930 --> 00:02:03.180 is the first type of password that you're going to find 50 00:02:03.180 --> 00:02:05.400 when you're using the BIOS or UEFI. 51 00:02:05.400 --> 00:02:07.470 This password is used to protect the access 52 00:02:07.470 --> 00:02:10.050 to the BIOS or UEFI configuration program 53 00:02:10.050 --> 00:02:12.090 and prevents unauthorized users from accessing 54 00:02:12.090 --> 00:02:14.220 this sensitive configuration tool. 55 00:02:14.220 --> 00:02:17.190 If you set this password up, anytime somebody tries to enter 56 00:02:17.190 --> 00:02:19.890 the BIOS or UEFI, it's going to require them to enter 57 00:02:19.890 --> 00:02:22.170 the password prior to granting access, 58 00:02:22.170 --> 00:02:25.410 but it won't prevent somebody from powering on the computer 59 00:02:25.410 --> 00:02:28.710 and booting up into the normal operating system environment. 60 00:02:28.710 --> 00:02:31.590 This password is almost always going to be set up on computers 61 00:02:31.590 --> 00:02:33.570 in a corporate or enterprise network 62 00:02:33.570 --> 00:02:36.870 so that your end users can't access the BIOS or UEFI 63 00:02:36.870 --> 00:02:39.360 but your system administrators and technicians can 64 00:02:39.360 --> 00:02:41.550 if they have the right password. 65 00:02:41.550 --> 00:02:43.830 The user or system password is the second type 66 00:02:43.830 --> 00:02:47.430 of password that can be configured in the BIOS or UEFI. 67 00:02:47.430 --> 00:02:51.270 This password is used to lock access to the entire computer. 68 00:02:51.270 --> 00:02:53.100 Whenever the computer is powered on, 69 00:02:53.100 --> 00:02:55.530 it's going to stop and ask for a password. 70 00:02:55.530 --> 00:02:58.380 If the end user enters the correct password, the computer's 71 00:02:58.380 --> 00:03:01.320 going to continue to load the operating system and boot up. 72 00:03:01.320 --> 00:03:04.170 While this is a very secure method of protecting a computer, 73 00:03:04.170 --> 00:03:07.380 it's almost never used in corporate or enterprise networks, 74 00:03:07.380 --> 00:03:09.300 because this password would have to be shared 75 00:03:09.300 --> 00:03:12.120 with all the users who access that computer, 76 00:03:12.120 --> 00:03:14.700 and this shared password then negates some of that security 77 00:03:14.700 --> 00:03:16.170 that we're trying to gain. 78 00:03:16.170 --> 00:03:19.290 Instead, you're usually going to see a user or system password 79 00:03:19.290 --> 00:03:21.090 used only on somebody's computer 80 00:03:21.090 --> 00:03:23.160 when they're the only user on it. 81 00:03:23.160 --> 00:03:25.200 This is a separate and different password 82 00:03:25.200 --> 00:03:27.000 than the user password that's going to be used 83 00:03:27.000 --> 00:03:30.570 to access Windows, Linux or the MacOS system, 84 00:03:30.570 --> 00:03:33.000 and instead grants the user access to the system 85 00:03:33.000 --> 00:03:35.820 in that pre-operating system environment. 86 00:03:35.820 --> 00:03:38.130 The third type of password is known as a storage 87 00:03:38.130 --> 00:03:40.050 or hard drive password. 88 00:03:40.050 --> 00:03:42.240 This type of password used to be very popular 89 00:03:42.240 --> 00:03:45.000 prior to the inclusion of the trusted platform module 90 00:03:45.000 --> 00:03:48.180 or hardware security module in modern computers. 91 00:03:48.180 --> 00:03:50.550 This password would lock access to a hard drive 92 00:03:50.550 --> 00:03:53.280 that's connected to a system and would require the end user 93 00:03:53.280 --> 00:03:55.680 to enter the password in order for that hard disc 94 00:03:55.680 --> 00:03:58.530 to be read from and the operating system loaded. 95 00:03:58.530 --> 00:04:01.290 Unlike that user or system password that locks the user 96 00:04:01.290 --> 00:04:03.420 out of the entire system until the proper password 97 00:04:03.420 --> 00:04:05.820 is entered, the storage or hard drive password 98 00:04:05.820 --> 00:04:07.710 will only lock them out of the hard drive 99 00:04:07.710 --> 00:04:10.769 and the ability to boot that operating system from it. 100 00:04:10.769 --> 00:04:12.840 The next security feature we need to cover 101 00:04:12.840 --> 00:04:14.550 is known as secure boot. 102 00:04:14.550 --> 00:04:17.130 Secure boot can be enabled in the UEFI interface 103 00:04:17.130 --> 00:04:20.370 and settings and is not supported by BIOS. 104 00:04:20.370 --> 00:04:23.310 If enabled, it's going to perform three different verifications 105 00:04:23.310 --> 00:04:25.620 during the bootup process for Windows or other 106 00:04:25.620 --> 00:04:28.680 operating systems that support this capability in order 107 00:04:28.680 --> 00:04:31.350 to ensure the computer has not been hijacked by some kind 108 00:04:31.350 --> 00:04:34.590 of malicious code injected into the operating system. 109 00:04:34.590 --> 00:04:36.630 Let's take a look at the full bootup process 110 00:04:36.630 --> 00:04:38.550 on a normal Windows system. 111 00:04:38.550 --> 00:04:41.100 The first step of the process occurs when a Windows computer 112 00:04:41.100 --> 00:04:43.950 is starting up, the firmware boot components are loaded, 113 00:04:43.950 --> 00:04:45.870 and the boot manager is started. 114 00:04:45.870 --> 00:04:48.120 Next, the Windows loader is going to begin, 115 00:04:48.120 --> 00:04:49.830 the Windows kernel is going to be started, 116 00:04:49.830 --> 00:04:51.720 and the boot critical driver installations 117 00:04:51.720 --> 00:04:53.130 are going to occur. 118 00:04:53.130 --> 00:04:55.710 Now, any additional operating system initializations 119 00:04:55.710 --> 00:04:58.320 are going to happen, and finally, the user is presented 120 00:04:58.320 --> 00:05:00.420 with the Windows login screen. 121 00:05:00.420 --> 00:05:02.610 Now, when the firmware boot components are loaded 122 00:05:02.610 --> 00:05:05.430 during a secure boot, the firmware is first going to verify 123 00:05:05.430 --> 00:05:09.030 that all the UV executable files and the OS loader itself 124 00:05:09.030 --> 00:05:11.130 have their integrity intact and they haven't been 125 00:05:11.130 --> 00:05:13.320 compromised by any kind of malware. 126 00:05:13.320 --> 00:05:15.810 This means they're going to be safe to load up. 127 00:05:15.810 --> 00:05:18.300 Next, the Windows boot components are going to verify 128 00:05:18.300 --> 00:05:20.370 the digital signature of each component 129 00:05:20.370 --> 00:05:21.750 prior to loading them. 130 00:05:21.750 --> 00:05:23.910 If any component fails this signature check, 131 00:05:23.910 --> 00:05:26.100 it's not going to load and it's going to trigger an alert 132 00:05:26.100 --> 00:05:27.450 to the end user. 133 00:05:27.450 --> 00:05:30.060 Finally, the boot critical drivers are going to be checked 134 00:05:30.060 --> 00:05:32.490 against their known good hashes, and if they pass 135 00:05:32.490 --> 00:05:35.160 this check, they're going to be loaded up as the final part 136 00:05:35.160 --> 00:05:37.110 of the secure boot process. 137 00:05:37.110 --> 00:05:39.780 Now, when it comes to secure boot, I want you to remember 138 00:05:39.780 --> 00:05:42.210 that this is a procedure that's going to be used to ensure 139 00:05:42.210 --> 00:05:45.060 that our operating system itself can be trusted 140 00:05:45.060 --> 00:05:47.820 and it's not fallen victim to a special type of malware 141 00:05:47.820 --> 00:05:49.410 known as a root kit. 142 00:05:49.410 --> 00:05:51.690 For secure boot to work, it has to be enabled 143 00:05:51.690 --> 00:05:54.750 inside of your UEFI system, and your operating system 144 00:05:54.750 --> 00:05:56.670 also has to support it. 145 00:05:56.670 --> 00:05:59.070 The final security feature we need to cover within the BIOS 146 00:05:59.070 --> 00:06:01.950 or UEFI is setting up permissions for your USB ports 147 00:06:01.950 --> 00:06:03.300 on your motherboard. 148 00:06:03.300 --> 00:06:06.090 Now, most modern systems can be configured to enable 149 00:06:06.090 --> 00:06:08.700 or disable the USB ports on your motherboard, 150 00:06:08.700 --> 00:06:11.700 and some will even allow you to restrict the USB ports 151 00:06:11.700 --> 00:06:13.380 so that they're not going to support certain types 152 00:06:13.380 --> 00:06:16.590 of USB devices will still allowing others to be used. 153 00:06:16.590 --> 00:06:18.660 Now, the big concern here is normally going to be 154 00:06:18.660 --> 00:06:20.940 with malware and data loss. 155 00:06:20.940 --> 00:06:24.120 In terms of malware, USB ports can provide a great avenue 156 00:06:24.120 --> 00:06:25.560 of attack for somebody who's trying 157 00:06:25.560 --> 00:06:27.270 to break into your system. 158 00:06:27.270 --> 00:06:29.700 For example, if I load up a USB thumb drive 159 00:06:29.700 --> 00:06:32.370 with some malware, I can drop it in a parking lot 160 00:06:32.370 --> 00:06:34.950 outside of an office building, and if somebody's curious 161 00:06:34.950 --> 00:06:37.050 and picks it up and plugs it into their machine, 162 00:06:37.050 --> 00:06:39.900 that can then install malware onto your systems. 163 00:06:39.900 --> 00:06:42.810 So we want to prevent this by disabling the ability 164 00:06:42.810 --> 00:06:46.320 of USB to read and write from mass storage devices. 165 00:06:46.320 --> 00:06:49.110 You can do this by either blocking USB altogether, 166 00:06:49.110 --> 00:06:51.630 but then you wouldn't be able to use things like headphones 167 00:06:51.630 --> 00:06:55.050 and webcams, mice and keyboards, and things like that. 168 00:06:55.050 --> 00:06:58.020 So instead, we might want to just restrict the ability 169 00:06:58.020 --> 00:07:01.020 to use them as mass storage devices, and this would prevent 170 00:07:01.020 --> 00:07:03.630 anything like USB thumb drives or flash drives 171 00:07:03.630 --> 00:07:06.870 or external hard drives from being connected to the system. 172 00:07:06.870 --> 00:07:08.250 This can help us to prevent malware 173 00:07:08.250 --> 00:07:10.110 from being introduced into our system. 174 00:07:10.110 --> 00:07:13.020 But in addition to that, it also could help us prevent data 175 00:07:13.020 --> 00:07:14.880 from getting out of our system. 176 00:07:14.880 --> 00:07:17.280 For example, let's say you work for a top secret 177 00:07:17.280 --> 00:07:19.110 organization within the government. 178 00:07:19.110 --> 00:07:20.760 You wouldn't want somebody to be able to walk in 179 00:07:20.760 --> 00:07:23.700 with a small USB thumb drive, plug it into the computer, 180 00:07:23.700 --> 00:07:25.560 and download all of your information 181 00:07:25.560 --> 00:07:27.540 and then walk out the front door with it. 182 00:07:27.540 --> 00:07:30.960 So to prevent this, you can actually configure your UEFI 183 00:07:30.960 --> 00:07:34.560 to block those USB ports or to prevent them from being used 184 00:07:34.560 --> 00:07:37.830 for mass storage devices, and again, blocking the ability 185 00:07:37.830 --> 00:07:40.650 to use thumb drives and external hard drives, 186 00:07:40.650 --> 00:07:42.540 which will make it so that people can't walk out 187 00:07:42.540 --> 00:07:45.120 the front door with your critical information. 188 00:07:45.120 --> 00:07:48.180 So remember, when it comes to security, there's three 189 00:07:48.180 --> 00:07:51.270 main things that your BIOS or UEFI can provide you with. 190 00:07:51.270 --> 00:07:54.060 The first is the ability to set passwords to control 191 00:07:54.060 --> 00:07:56.910 different access to different parts of your system. 192 00:07:56.910 --> 00:07:59.280 The second is the ability to enable secure boot 193 00:07:59.280 --> 00:08:01.770 to ensure your operating system has not been compromised 194 00:08:01.770 --> 00:08:03.180 prior to loading it. 195 00:08:03.180 --> 00:08:07.050 And third is the ability to restrict or disable USB ports 196 00:08:07.050 --> 00:08:08.850 on your motherboard to prevent malware 197 00:08:08.850 --> 00:08:10.380 from being introduced into the system, 198 00:08:10.380 --> 00:08:13.083 or data from being exfiltrated from your system.