01-30-2012 05:50 AM - edited 01-30-2012 09:41 AM
I was wondering under what circumstances the Power on and HDD passwords for Thinkpads could be circumvented. I'm bringing this up because even when I have these two passwords set, you can do a restart of the laptop, which bypasses those two checks.
The scenario I'm wondering about is if an up and running Thinkpad was taken, would it be possible to restart the machine with a linux distro in the tray, reset passwords and then reboot back to windows. I'm not especially worried if the Thinkpad is physically turned off because I know the power-on and hdd passwords will kick in. I'm more concerned about a Thinkpad where a user is accustomed to just leaving the thing on all the time.
I take care of IT issues for a small business and I'm implementing this level of security on the laptops. I want to be able to tell the owner that as long as strong passwords are used and a person doesn't have them written down on a sticky taped to the Thinkpad, if it's stolen no-one is getting into the hard drive.
01-30-2012 11:35 AM
Haiku welcome to the forum,
good question, asking it the other way around would also have resulted in you being quoted from the froum rules;
No posts shall include instructions or directions intended to subvert security measures, including passwords, locking mechanisms, fingerprint scans, etc, nor shall any posts provide descriptions to the location of, nor direct links to content related to these topics.
We can advise you to refer to the Hardware Maintainance Manuals for the systems concerned, having read the information, (which is basically the same for all ThinkPads), you should hopefully be a little more enlightened.
The power on password is definitely the weakest of all the passwords along with the Windows user password, HDD passwords are very safe. More discussion and information on HDD passwords can be found in this thread.
There's no way to make a computer 100% safe, it would be lying to presume otherwise, but there are soft and hardware solutions which get pretty close depending on the level of security you require e.g proximity sensors is one idea which could be used if a running system is stolen, Remote Disable is also another possibility.
For the scenario you mention, booting from a Linux disc, firstly the HDD password will need to be entered at startup, secondly you could remove the option to boot from optical, usb drives and any other options you care to exclude in BIOS, lock the BIOS settings having set a Supervisor password (SVP). This would result in the person trying to gain access having knowledge of the SVP in order to be able to change the boot order and becaue of the HDD passwords they would need another sinilar system and also need to know the HDD password.
Hopefully that answers some or most of your questions, but please avoid the obvious forbidden discussion.
Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + pointsDid you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos
01-31-2012 06:39 AM
Yeah sorry about that, it was a difficult question to ask "correctly". That is a good point though about restricting devices from the boot order within the BIOS.
02-11-2012 03:20 AM
Short of replacing the motherboard they are not going to bypass the BIOS password. HDD passwords can be bypassed with a low level format, however that will take the data with it. If the HDD does not have built in hardware encryption it could still be possible to recover data from it in the event of theft, although this will take some skill. For this reason HDD passwords are best used with hardware encrypted drives (that's what they're really for).