You can configure passwords for the BIOS to control access to the system.

• If set, the administrator (or supervisor or setup) password is required to enter the CMOS program to make changes to BIOS settings.
• If set, the user (or system or power on) password is required to load the operating system. The administrator password can also be used to start the system.

BIOS passwords only offer a small degree of protection.

• Passwords can typically be cleared by removing the CMOS battery or using a motherboard jumper.
• If you have set an administrator password and then find the password is no longer set, you know that someone has tampered with the system.
• Use a chassis lock to prevent users from opening the case to reset passwords.

Chassis intrusion detection helps you identify when a system case has been opened. With chassis intrusion detection:

• A sensor switch is located inside the system case.
• When the case cover is removed, the switch sends a signal to the BIOS.
• Depending on the system configuration, a message might be displayed on the screen at startup, or the message might only be visible from within the CMOS program (On-Silent).
• Run the CMOS program to clear the message.

Some portable computers allow you to set a password on a hard disk.

• When set, the password must be given at system startup or the disk cannot be used.
• Hard disk passwords are part of the ATA specifications so they are not dependent upon a specific disk manufacturer.
• There are two different passwords: user and master.
• Set the password(s) by using the CMOS program. Some programs do not allow you to set a password, only let you set the user password, or let you set both a user and a master password.
• Passwords are saved on the hard disk.
  • You cannot read the passwords from the disk.
  • You cannot move the drive to another system to access the disk without the password (the password moves with the disk).
  • You cannot format the disk to remove the passwords.
• If you forget the user password, use the master password to access the drive. If you do not know either password, you cannot access any data on the drive.
• Most drives allow a limited number of incorrect password attempts. After that time, you must restart the system to try entering additional passwords. You can try as long as you want, but constantly restarting the system makes guessing the password a tedious job.
• Drives might ship with a default master password. However, these passwords (if they exist) are not publicly available and cannot be obtained from disk manufacturers.
• Setting a hard disk password is sometimes referred to as locking the hard disk.

A TPM is a special chip on the motherboard that generates and stores cryptographic keys.

• Use the CMOS program to initialize the TPM.
• During initialization, you set a TPM owner password. The TPM password is required to manage TPM settings.
• The TPM includes a unique key on the chip that can be used for hardware system identification.
• The TPM can generate a cryptographic key or hash based on the hardware in the system, and use this key value to verify that the hardware has not changed. This value can be used to prevent the system from booting if the hardware has changed.
• The TPM can be used by applications to generate and save keys that are used with encryption.