HP D330 HP Business Desktop BIOS - Page 11

the user DriveLock password, if it is forgotten. Otherwise, the drive is rendered useless and all data will be lost. As a convenience to the user, the DriveLock password and power-on passwords (or smart card credentials) can be set to match. In this case, the BIOS will use the Power-on password or smart card credential to unlock the drive for the user without additional prompts. For the sake of security, there is no copy of the DriveLock password permanently stored in any fashion in the BIOS. Of course, if the power-on password and DriveLock passwords are set to match, then an encrypted version of the DriveLock password is contained in the BIOS, since the power-on password is stored in the BIOS flash memory. For this reason some users may choose to make their DriveLock password different from the power-on password. Smart cards Using smart cards for user or administrator preboot authentication provides one of two benefits: ease of use or multifactor authentication. In addition, the same smart card can hold OS user credentials. If the administrator has enabled the use of smart cards in BIOS setup, the smart card will replace the typed-in passwords. BIOS administrator authentication and user authentication are handled with two separate smart cards: the user smart card and the administrator smart card. If smart cards are enabled, the administrator smart card must be enabled first. After enabled the administrator smart card, enabling the user smart card is optional. When enabling the smart cards, the administrator has the choice of enabling multifactor authentication, which requires a PIN (Personal Identification Number, a 4 to 10 digit number required to enable smart card access), or single-factor authentication, which does not require a PIN. Singlefactor authentication is more convenient (only requires possession of the card), while multifactor authentication is more secure (requires possession of the card and knowledge of the PIN). If singlefactor authentication is selected, the smart card could be stolen and an unauthorized person might gain access to the machine. Each smart card holds a BIOS pass phrase as its credential. This BIOS pass phrase is a string of up to 32 characters. This pass phrase can be chosen by the administrator or a random 32-byte value can be generated by the smart card tools. The administrator may configure the computer so that the DriveLock passwords are established by using the smart card pass phrases. In this case, the smart card pass phrase will automatically be used to unlock the drive during startup. Preventing unauthorized data removal Device security is a feature that uses either chipset or motherboard hardware to hide I/O (input/output) ports from the OS or disable mass storage controllers or devices. When hidden, the selected ports are not accessible to the OS or any other software. Only the BIOS can reenable these ports. This feature is useful for those that are concerned about unauthorized removal of sensitive data from the machine using these I/O ports. The ports that can be secured may vary by model, but generally include the serial port(s), parallel port, USB port(s), network connection, and audio. The IDE and SATA controllers can also be disabled, preventing devices from functioning on these ports. In addition, the diskette controller can be set to disallow saving data to the diskette. 11