Browse Prior Art Database

Flexible Pre-boot security

IP.com Disclosure Number: IPCOM000014009D
Original Publication Date: 2000-May-01
Included in the Prior Art Database: 2003-Jun-19
Document File: 2 page(s) / 40K

Publishing Venue

IBM

Abstract

Disclosed in the following is a method to remotely modify the security attributes of a Personal Computer system to address certain unique, short lived situations: In today's business world, all computer manufacturers have established a scheme for protecting the system from access from an unauthorised person. Unfortunately, because a system designer cannot predict all of the various uses of computers in the industry, the current schemes are much too rigid for most customers. Because of this, many customers do not utilise the full potential of the security schemes. For example , we have customers who manage computers across the world. When the computer needs any type of maintenance, the administer must either go to the site to do the maintenance or they must give out passwords to people at the remote sites. Since the later is more economical, the passwords are exposed and the security of the system is reduced. For this reason, many customers do not use the current password schemes. The solution we recommend is that the current security needs to evolve to more accurately reflect the usage of current models for network connected PC's. The first part of this disclosure is that security needs to evolve so that an administrator can establish their own guidelines. For instance, in today's environment, the opening of the case generates an error which requires password entry. A more powerful security implementation would allow the user to specify whether this activity generates an error. For instance, if the case has been opened and then closed, and if no hardware is missing or if new hardware memory/hardfile) was added, a password would not be required. This implementation could evolve such that an administrator could change the security policy in a secure manner) for a single boot or boots so that the machine could be maintained without compromising the security of the machine. This is the second part of this disclosure.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 1 of 2

Flexible Pre-boot security

Disclosed in the following is a method to remotely modify the security attributes of a Personal

Computer system to address certain unique, short lived situations:

In today's business world, all computer manufacturers have established a scheme for protecting the system from access from an unauthorised person. Unfortunately, because a system designer cannot predict all of the various uses of computers in the industry, the current schemes are much too rigid for most customers. Because of this, many customers do not utilise the full potential of the security schemes. For example , we have customers who manage computers across the world. When the computer needs any type of maintenance, the administer must either go to the site to do the maintenance or they must give out passwords to people at the remote sites. Since the later is more economical, the passwords are exposed and the security of the system is reduced. For this reason, many customers do not use the current password schemes.

The solution we recommend is that the current security needs to evolve to more accurately reflect the usage of current models for network connected PC's. The first part of this disclosure is that security needs to evolve so that an administrator can establish their own guidelines. For instance, in today's environment, the opening of the case generates an error which requires password entry. A more powerful security implementation would allow the user to specify whether this activity generates an error. For instance, if the case has been opened and then closed, and if no hardware is missing or if new hardware ( memory/hardfile) was added, a password would not be required. This implementation could evolve such that an administrator could change the security policy ( in a secure manner) for a single boot or boots so that the machine could be maintained without compromising the security of the machine. This is the second part of this disclosure.

On several systems currently being marketed by the IBM Corporation, security is controlled by a dual password mechanism. There is a "user password" that is known to the individual that uses the machine on a daily basis that is used to allow the basic start up and operation of the system. There is also a facility to set an "administrator password". When the administrator password is set, various additional security features are brought into play, some of which include notification of having the case of the system opened and notification of changes of system hardware configuration.

When either of these situations are encountered, the system start up program (the BIOS program) places a message on the systems CRT screen and halts until the administrators password is entered from the system keyboard.

This scheme has been shown to work well for it's intended purpose (bringing an unauthorised tampering of the system to the attention of a local system administrator) but there are situations that can...