UCF STIG Viewer Logo

Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22115 STO-ALL-040 SV-25623r1_rule High
Description
If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial of service attack or the compromise of sensitive data on the system and the network to which it is connected.
STIG Date
Removable Storage and External Connections Security Technical Implementation Guide 2017-09-25

Details

Check Text ( C-27103r1_chk )
Further policy details:

Some systems do not have a setting for disabling boot from USB or other types of ports. In these cases, "Boot from USB" or other interface connection types should be moved to last in the boot device list in the BIOS. The risk is lessened but not mitigated, so the reviewer will mark this as a CAT II finding.

Check procedure:

1. Inspect the BIOS settings. Navitage to the boot order configuration tab.

2. Work with the site representative to verify that no end point has its BIOS set to allow a default boot from an external port.

3. Verify that a system can be booted from a USB, firewire, or eSATA device for maintenance or recovery purposes, but it will not be allowed to do so when in normal use.
Fix Text (F-23205r1_fix)
Set boot order of computers approved for use with removable storage such that the BIOS does not allow default booting from devices attached to a USB, firewire, or eSATA port.