How safe is my BIOS Power-on Password?

Hi -

A short while ago I learnt that if I transfer my data from an NTFS to a
FAT32 harddrive I lose all my security features on the files.

Since I use a BIOS power-on password to protect the data on my laptop I
am now wondering if there is any point to doing so at all. Could an
unauthorised person not simply access my PC with a bootable Linux CD
such as Knoppix and copy all of my files over to a FAT32 external
drive?

Or will BIOS be smart enough and prevent the evil-doer from doing this?
If yes, how? If no, is there anything else I can do to be safe against
data theft in case of laptop theft?

Thanks in advance for your advice.

Pat


--
pat_mc

R
Fri Mar 28 09:29:06 PDT 2008

BIOS 'Password on Boot' is just a stumbling block, not real protection
against data theft. Even securing documents with a password is again
just something to slow down the determined thief. Unless you want to
go with full disk encryption, maybe just keeping data on a Thumb drive
(Encrypted) is a better choice. But that has the issue of loss, since they
are very easily misplaced.

Laptop drives are easily removed, so if the notebook is stolen the BIOS
password is pointless since it can be mounted in another machine to be
accessible. Windows Vista employs Bit-Locker Encryption and similar
type products are available for Windows XP.

If you do opt for any kind of Encryption make sure you have all the
keys, passcodes and other unlocking mechanisms backed up.



"pat_mc" <p_surname@hotmail.com> wrote in message
news:pat_mc.36zpz6@no-mx.tabletquestions.com...
>
> Hi -
>
> A short while ago I learnt that if I transfer my data from an NTFS to a
> FAT32 harddrive I lose all my security features on the files.
>
> Since I use a BIOS power-on password to protect the data on my laptop I
> am now wondering if there is any point to doing so at all. Could an
> unauthorised person not simply access my PC with a bootable Linux CD
> such as Knoppix and copy all of my files over to a FAT32 external
> drive?
>
> Or will BIOS be smart enough and prevent the evil-doer from doing this?
> If yes, how? If no, is there anything else I can do to be safe against
> data theft in case of laptop theft?
>
> Thanks in advance for your advice.
>
> Pat
>
>
> --
> pat_mc

Pegasus
Fri Mar 28 09:27:41 PDT 2008


"pat_mc" <p_surname@hotmail.com> wrote in message
news:pat_mc.36zpz6@no-mx.tabletquestions.com...
>
> Hi -
>
> A short while ago I learnt that if I transfer my data from an NTFS to a
> FAT32 harddrive I lose all my security features on the files.
>
> Since I use a BIOS power-on password to protect the data on my laptop I
> am now wondering if there is any point to doing so at all. Could an
> unauthorised person not simply access my PC with a bootable Linux CD
> such as Knoppix and copy all of my files over to a FAT32 external
> drive?

Not with a BIOS password. However, it's fairly easy to remove
the hard disk and read its contents on a different machine.

> Or will BIOS be smart enough and prevent the evil-doer from doing this?
> If yes, how? If no, is there anything else I can do to be safe against
> data theft in case of laptop theft?

You have to encrypt your data. No doubt other respondents will
advise you on suitable techniques. Before you go down this path,
make sure that you are fully familiar with the technology. If the
encryption product is worth its salt then you won't be able to
decrypt your data in case something goes wrong - which happens
surprisingly often. Your data would be permanently lost, including
your backups.

> Thanks in advance for your advice.
>
> Pat

Tim
Fri Mar 28 09:40:46 PDT 2008

pat_mc <p_surname@hotmail.com> wrote:

>
>Hi -
>
>A short while ago I learnt that if I transfer my data from an NTFS to a
>FAT32 harddrive I lose all my security features on the files.

That's right, NTFS supports many security features that FAT32 does
not.

>Since I use a BIOS power-on password to protect the data on my laptop I
>am now wondering if there is any point to doing so at all. Could an
>unauthorised person not simply access my PC with a bootable Linux CD
>such as Knoppix and copy all of my files over to a FAT32 external
>drive?

Yes, that's certainly possible.

>Or will BIOS be smart enough and prevent the evil-doer from doing this?
>If yes, how? If no, is there anything else I can do to be safe against
>data theft in case of laptop theft?

There are several products that encrypt the entire disk drive, and
won't kick in unless your machine is properly booted with
userid/password. That would mean an XP userid/password, not the BIOS
userid/password. If a malefactor removed your disk and connected it to
another computer, or used a Knoppix or other boot disk, your drive
would appear as gibberish.

My agency, which is concerned with exactly this scenario, uses
Pointsec. It works, but it does slow things down a bit. Just how much
it slows things down is somewhat debatable.

--
Tim Slattery
MS MVP(Shell/User)
Slattery_T@bls.gov
http://members.cox.net/slatteryt

HEMI-Powered
Fri Mar 28 10:59:48 PDT 2008

pat_mc added these comments in the current discussion du jour ...

> A short while ago I learnt that if I transfer my data from an NTFS
> to a FAT32 harddrive I lose all my security features on the files.
>
> Since I use a BIOS power-on password to protect the data on my
> laptop I am now wondering if there is any point to doing so at
> all. Could an unauthorised person not simply access my PC with a
> bootable Linux CD such as Knoppix and copy all of my files over to
> a FAT32 external drive?
>
> Or will BIOS be smart enough and prevent the evil-doer from doing
> this? If yes, how? If no, is there anything else I can do to be
> safe against data theft in case of laptop theft?
>
If the battery can be removed to powerdown the firmware, then yes,
you'd lose your BIOS password. If you are really concerned about
security, I'd suggest you buy one of the relatively inexpensive
hardware devices that will HW encrypt your HDD and make it impossible
to use even if the PC is stolen and the disk removed. I'm more than a
little out-of-date on this stuff since retiring 6 years ago, but I
believe there are also very effective HW add-ons tha will totally
prevent the use of the PC, but the main thing is to protect the HDD.

--
HP, aka Jerry

"And, that's all I'm going to say about that" - Forrest Gump

smlunatick
Fri Mar 28 11:57:07 PDT 2008

On Mar 28, 11:07=A0am, pat_mc <p_surn...@hotmail.com> wrote:
> Hi -
>
> A short while ago I learnt that if I transfer my data from an NTFS to a
> FAT32 harddrive I lose all my security features on the files.
>
> Since I use a BIOS power-on password to protect the data on my laptop I
> am now wondering if there is any point to doing so at all. Could an
> unauthorised person not =A0simply access my PC with a bootable Linux CD
> such as Knoppix and copy all of my files over to a FAT32 external
> drive?
>
> Or will BIOS be smart enough and prevent the evil-doer from doing this?
> If yes, how? If no, is there anything else I can do to be safe against
> data theft in case of laptop theft?
>
> Thanks in advance for your advice.
>
> Pat
>
> --
> pat_mc

BIOS passwords can easily be reset by removing the CMOS battery. Not
to ever be considered as a security method.

Ken
Fri Mar 28 11:56:15 PDT 2008

On Fri, 28 Mar 2008 16:07:46 +0000, pat_mc <p_surname@hotmail.com>
wrote:

>
> Hi -
>
> A short while ago I learnt that if I transfer my data from an NTFS to a
> FAT32 harddrive I lose all my security features on the files.
>
> Since I use a BIOS power-on password to protect the data on my laptop I
> am now wondering if there is any point to doing so at all. Could an
> unauthorised person not simply access my PC with a bootable Linux CD
> such as Knoppix and copy all of my files over to a FAT32 external
> drive?


No, the BIOS password will prevent the computer from being booted at
all.

However, a BIOS password is an extremely weak form of protection. It
can be readily gotten around by resetting the BIOS, and all that takes
is removing the motherboard battery for a few minutes.

Alternatively, the drive can be removed from the computer and read in
another computer.

A BIOS password can be useful for protection against a casual passerby
who wants to see what's on your computer. It's essentially useless
against a determined invader.


--
Ken Blake, Microsoft MVP - Windows Desktop Experience
Please Reply to the Newsgroup

C
Sat Mar 29 11:08:02 PDT 2008

pat_mc wrote:

>
>Hi -
>
>A short while ago I learnt that if I transfer my data from an NTFS to
>a FAT32 harddrive I lose all my security features on the files.
>
>Since I use a BIOS power-on password to protect the data on my laptop
>I am now wondering if there is any point to doing so at all. Could an
>unauthorised person not simply access my PC with a bootable Linux CD
>such as Knoppix and copy all of my files over to a FAT32 external
>drive?
>
>Or will BIOS be smart enough and prevent the evil-doer from doing
>this? If yes, how? If no, is there anything else I can do to be safe
>against data theft in case of laptop theft?
>
>Thanks in advance for your advice.
>
>Pat

Hi Pat,

I think earlier I saw an article by you on this concept and you were
speaking about a laptop. If that is the case then I would like to clear
up a few points for you.

1) You can not simply pull the CMOS battery on most laptops built in
the last five years to remove the BIOS password. On laptops, the BIOS
password is stored in FlashRAM so losing power doesn't effect it.

2) Most Phoenix BIOS actually have two BIOS passwords levels, one for
the supervisor and one for the user. The supervisor password will allow
you to set boot devices and boot options. On my machine, I have it set
so that the computer will only boot from the hard disk. The 'user'
password can not change the boot devices or boot order if they press
the 'Esc' key during boot, all they are shown is the hard disk.

3) With laptops, the hard disk is normally easy to get to and removed.
Important data should therefore be stored in encrypted containers on
the hard disk. I might add that I do not recommend including all data
in a single data since if the container has a glitch, you could lose
everything.

4) Some newer laptops come with hard disk that can be encrypted. My
dv8100cto has this capability. I tested it and the performance is very
good. The only problem is that if the FlashRAM where the encryption key
is stored get corrupted, you end up with a very pretty paper weight
that looks just like an internal hard disk.

Over-all, I would recommend the use of a good quality encryption
container and a good quality 'external' portable hard disk for your
really important data.

--

Sincerely,
C.Joseph Drayton, Ph.D. AS&T

CSD Computer Services
Web site: http://csdcs.tlerma.com/
E-mail: csdcs@tlerma.com

pat_mc
Sat Mar 29 13:25:26 PDT 2008


I suspect it may be contrary to common practice in a forum to post
final comment to thank respondents. Still, I would like to thank al
those who underwent the effort of sharing their knowledge regarding m
question. I now have a much clearer understanding of the limitations o
my data security.

Thanks for being nice, knowledgeable people out there

--
pat_mc

Doug
Sat Mar 29 15:35:35 PDT 2008

Actually, not at all. A thank you is the only thing the person that answers
you gets in return.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart
Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"pat_mc" <p_surname@hotmail.com> wrote in message
news:pat_mc.371wo8@no-mx.tabletquestions.com...
>
> I suspect it may be contrary to common practice in a forum to post a
> final comment to thank respondents. Still, I would like to thank all
> those who underwent the effort of sharing their knowledge regarding my
> question. I now have a much clearer understanding of the limitations of
> my data security.
>
> Thanks for being nice, knowledgeable people out there!
>
>
> --
> pat_mc