Boot device menu BIOS
Does anyone know of a way to remove entries from the boot device menu when you hit F12 on your keyboard. I need to implement this at work for security reasons so no one can boot from a CD-rom or USB device. I want the CD-rom and USB entries removed from the boot device menu. See attached picture.
notes..the PC is a Dell Optiplex 780 PC
Things I tried:
1. Disabled CD-rom drive from BIOS and this works, however, when the user logs on there will be no Cd-rom drive showing.
2. Boot from hard drive as first option, and implement a bios password to prevent unauthorized users from booting to CD-rom drive or changing the boot order. However, if they reset the BIOS/CMOS jumper than they will be able to gain access to the BIOS again.
3. Tried using Dell CCTK tool but it doesn't seem to be removing the CD-rom entry.
4. Disabled F12, F2 options but although it doesn't show up during the POST, you can still hit the F12 key and the boot device menu will show up.
Out of ideas so I am trying this forum. Thanks in advance.
I reedited my post. Option 2 is a workaround but someone can easily reset the bios/cmos jumper and the password would be wiped.
Ultimately, you also need physical security too: if the user is determined enough to reset the BIOS, they could drop in a different hard drive and try boot off that.
If security is critical, lock the case and enable a case-open capture flag in BIOS which is reported to you when the OS loads.
Another approach to the boot question just occurred to me though: maybe run the machine on a virtual platform. It may be possible with a hypervisor to disable usb/optical boot?
We are trying to implement this on all machines in the environment and not just one PC so that virtual option might be out of the question. There has to be some Bios software editor that allows me to remove the entry. Here's what I want it to look like when the user hits F12 when booting up. The CD-rom drive is disabled in the BIOS. How can we get it to look like this without disabling the CD-rom drive in the BIOS.
Isn't that what the Dell CCTK is meant to do? If it is not working as you expected, then sorry, but there is not a lot anyone here can do. All we can do is suggest workarounds based the standard BIOS configuration. I think you need support from Dell to fix the Client Config ToolKit.
Originally Posted by trinh4life
Ultimately, if security is meant to be tight, you should question if you actually need USB and optical drives on client machines. These devices are inconsistent with highly secured systems. I don't mean that to be nasty in anyway; just respectfully thinking about what your security model requires and how you could implement it.
For example, if users require the ability to use USB drives or to burn optical disks, you could arrange for them to be able to drop the data onto a ring-fenced network share accessible from a machine outwith the secured zone.
In an electronics production facility that I worked at in the past, we disabled USB in the BIOS and physically removed opticals. The test patterns were downloaded from a secure server and results were published to a database over the network. I'm not saying that is a solution for you; but if the CCTK doesn't work for you then it may be time to think about your environment.
I appreciate your suggestions...thank you. I did contact Dell but no resolution came about. I'll keep researching but thanks for your suggestions.
If you are using Windows on a PC, these are your only truly secure options: 1) Lock the case up and burn a new BIOS Chip Set that has all unnecessary boot devices removed from it. 2) Remove the jumper pins for the BIOS Reset from the MB and then password the BIOS entry.
Thanks for your reply. I did some more research and it seems to point to burning a custom bios. I have no idea how to do this so I'll be doing more research. Are there tools you recommend to do this or any instructions? This seems like the way to go. Removing the jumper pins sounds like a good idea as well. Thanks again.
I just wanted to follow-up with a final with this thread I opened. I talked with a Dell engineer and this is what they said from a previous case they had about this issue. The CD-rom drive will not be able to be removed in the F12 Bios menu. They said to implement a administrator password in the BIOS so that anyone booting from CD will need to insert a password. So this will have to do. One final note though, on a Dell Optiplex 790 I tested the CDROM entry is removed from the F12 menu with BIOS admin password whereas on the Dell 745 and 780 it is not.