disabling boot devices on poweredge servers?
alex.dupuy at mac.com
Wed May 5 16:07:06 CDT 2010
> The syscfg utility provides a mechanism to change the default boot
> order, but I would like (for security reasons) to disable boot from USB
> or CD-ROM (I can turn off PXE boot from the NICs).
> Check the OMSA command
> omconfig chassis biossetup attribute=bootorder sequence=<list>
> The sequence of boot devices will be enabled in the bios and the devices
> that are not part of the sequence will be disabled.
I didn't have OMSA installed, but this seemed to be equivalent to the
syscfg --bootseq=<list> configuration command, which on a PE 1950 system
just rearranged the order (omitted boot devices were left in the list,
and were not disabled).
I actually went and installed OMSA via yum (it was pretty painless, I
have to say) so that I could try this out, to see if I had different
results from syscfg. And it did, so that omreport chassis biossetup
bootorder (thanks for pointing that out, Chandrasekhar_R) reported the
> BIOS Boot Sequence
> Device Name : Hard drive C:
> Alias Name : hdd.emb.0.1
> State : Enabled
> Device Name : MBA v2.6.7 Slot 0500
> Alias Name : nic.emb.1.2
> State : Disabled
> Device Name : IDE CD-ROM device
> Alias Name : cdrom.emb.0.0
> State : Disabled
> BIOS Hard Disk Sequence
> Device Name : PERC 5/i Integrated(bus 02 dev 0E)
> Alias Name : sasraid.emb.1.0
And after rebooting, the BIOS also showed the NIC and CDROM as disabled
in the F2 Setup. However, while this can prevent default booting from
CD/DVD or USB, this does not prevent a user from pressing F11 to get the
boot selection menu and then selecting any of the devices (including
nominally disabled ones) from the menu. Even after rebooting a second
time, I was able to PXE boot from the NIC via either F12 or the F11 boot
> I ... will enable a BIOS setup password to lock in the changes once they are set.
After making the omconfig changes above, to disable boot from NIC and
CD-ROM, I went ahead and set the BIOS Setup password. After doing this,
entering F2 asked for a password before taking me to the Setup screen
(if the password was incorrect, the Setup screen was effectively
read-only), and the F11 boot menu also required a password (if the
password was incorrect, it kept prompting and wouldn't enter the boot menu).
Since I can disable NIC booting with syscfg --embnic1=onnopxe, the F12
loophole can be closed via other means. This leaves only one possible
concern for me, which is the possibility of booting from a USB device.
Since boot menu access is eliminated, it isn't possible to choose that
directly, but I wonder whether a newly detected USB device (currently I
have none) might get added to the default boot sequence (it is hard to
disable something that isn't there) and by pulling the hard drive,
manage to boot from a USB key.
Adam Nielsen replied:
> Don't forget that anyone with physical access to the machine can do a
> BIOS reset to get rid of your password, so don't consider this as
> anything other than a deterrent!
A BIOS reset to defaults requires getting to the F2 Setup screen, does
it not? While I know that the BIOS system password (and presumably the
setup password as well) on Dell laptops has a unique master password
(based on the service tag, it seems) that can be obtained from Dell
support, or one of the "password removing" services on-line, I was not
aware of any other trivial way to reset the BIOS or its passwords if the
chassis is secured (some PowerEdge models seem to have a jumper that can
be used to reset BIOS passwords).
mailto:alex.dupuy at mac.com
More information about the Linux-PowerEdge