Results 1 to 10 of 10
  1. #1
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Boot device menu BIOS

    Hello,

    Does anyone know of a way to remove entries from the boot device menu when you hit F12 on your keyboard. I need to implement this at work for security reasons so no one can boot from a CD-rom or USB device. I want the CD-rom and USB entries removed from the boot device menu. See attached picture.

    notes..the PC is a Dell Optiplex 780 PC

    Things I tried:
    1. Disabled CD-rom drive from BIOS and this works, however, when the user logs on there will be no Cd-rom drive showing.
    2. Boot from hard drive as first option, and implement a bios password to prevent unauthorized users from booting to CD-rom drive or changing the boot order. However, if they reset the BIOS/CMOS jumper than they will be able to gain access to the BIOS again.
    3. Tried using Dell CCTK tool but it doesn't seem to be removing the CD-rom entry.
    4. Disabled F12, F2 options but although it doesn't show up during the POST, you can still hit the F12 key and the boot device menu will show up.

    Out of ideas so I am trying this forum. Thanks in advance.

    Thai
    Attached Images Attached Images
    Last edited by trinh4life; 2012-09-18 at 17:06.

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    10,257
    Thanks
    130
    Thanked 1,152 Times in 1,061 Posts
    Doesn't option 2 work?

  3. #3
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I reedited my post. Option 2 is a workaround but someone can easily reset the bios/cmos jumper and the password would be wiped.

  4. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Ultimately, you also need physical security too: if the user is determined enough to reset the BIOS, they could drop in a different hard drive and try boot off that.

    If security is critical, lock the case and enable a case-open capture flag in BIOS which is reported to you when the OS loads.

    Another approach to the boot question just occurred to me though: maybe run the machine on a virtual platform. It may be possible with a hypervisor to disable usb/optical boot?
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  5. #5
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts
    We are trying to implement this on all machines in the environment and not just one PC so that virtual option might be out of the question. There has to be some Bios software editor that allows me to remove the entry. Here's what I want it to look like when the user hits F12 when booting up. The CD-rom drive is disabled in the BIOS. How can we get it to look like this without disabling the CD-rom drive in the BIOS.



    Bootmenu2.jpg

  6. #6
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by trinh4life View Post
    There has to be some Bios software editor that allows me to remove the entry.
    Isn't that what the Dell CCTK is meant to do? If it is not working as you expected, then sorry, but there is not a lot anyone here can do. All we can do is suggest workarounds based the standard BIOS configuration. I think you need support from Dell to fix the Client Config ToolKit.

    Ultimately, if security is meant to be tight, you should question if you actually need USB and optical drives on client machines. These devices are inconsistent with highly secured systems. I don't mean that to be nasty in anyway; just respectfully thinking about what your security model requires and how you could implement it.

    For example, if users require the ability to use USB drives or to burn optical disks, you could arrange for them to be able to drop the data onto a ring-fenced network share accessible from a machine outwith the secured zone.

    In an electronics production facility that I worked at in the past, we disabled USB in the BIOS and physically removed opticals. The test patterns were downloaded from a secure server and results were published to a database over the network. I'm not saying that is a solution for you; but if the CCTK doesn't work for you then it may be time to think about your environment.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  7. #7
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I appreciate your suggestions...thank you. I did contact Dell but no resolution came about. I'll keep researching but thanks for your suggestions.

  8. #8
    Star Lounger
    Join Date
    Jan 2010
    Location
    Berwyn Heights, MD
    Posts
    66
    Thanks
    0
    Thanked 4 Times in 4 Posts
    If you are using Windows on a PC, these are your only truly secure options: 1) Lock the case up and burn a new BIOS Chip Set that has all unnecessary boot devices removed from it. 2) Remove the jumper pins for the BIOS Reset from the MB and then password the BIOS entry.

  9. #9
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Mpioso,

    Thanks for your reply. I did some more research and it seems to point to burning a custom bios. I have no idea how to do this so I'll be doing more research. Are there tools you recommend to do this or any instructions? This seems like the way to go. Removing the jumper pins sounds like a good idea as well. Thanks again.

  10. #10
    New Lounger
    Join Date
    Dec 2008
    Location
    California
    Posts
    13
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I just wanted to follow-up with a final with this thread I opened. I talked with a Dell engineer and this is what they said from a previous case they had about this issue. The CD-rom drive will not be able to be removed in the F12 Bios menu. They said to implement a administrator password in the BIOS so that anyone booting from CD will need to insert a password. So this will have to do. One final note though, on a Dell Optiplex 790 I tested the CDROM entry is removed from the F12 menu with BIOS admin password whereas on the Dell 745 and 780 it is not.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •