Boot Order Manipulation

First stage bootloaders such as BIOS (Basic Input/Output System) and UEFI (Unified Extensible Firmware Interface) or second stage bootloaders such as GNU GRUB (GNU GRand Unified Bootloader) and iBoot, generally provide the ability to configure a bootloader password as a security measure. This password restricts access to the computer’s firmware settings and, in some cases, the boot process.

When a bootloader password is set, it is stored in a non-volatile memory within the firmware. Upon powering on the system (and the bootloader settings being selected) the bootloader prompts the user to enter the password before allowing access to the firmware settings, thereby preventing unauthorized users from altering system settings or booting from unauthorized devices.

Full Disk Encryption (FDE) involves encrypting all data on a device's hard disk or solid-state drive (SSD), including the Operating System (OS), third party applications and user data. This helps to ensure that data on the disk remains inaccessible if the laptop is lost or stolen, as the data cannot be accessed without the correct decryption key.

Typically a user decrypts a FDE disk during the boot process. The user is prompted to enter a password or provide a hardware token to unlock the encryption key. Only after successful authentication can the disk be decrypted and subsequently the Operating System loaded and the data accessed.

Access to specific areas of a site should be restricted to only authorized personnel, through the use of controls such as locked doors, mantraps, and gates requiring an ID badge.