This topic is different from anything we've looked at thus far because it has nothing to do with the operating system. Rather, we're now going to talk about the computer hardware.

Every computer motherboard has either a BIOS or a UEFI chip, which stores both the hardware configuration for the computer and the bootstrap instructions that are needed to start the boot process after the power is turned on. UEFI has replaced the old-style BIOS on newer motherboards, and it has more security features than the old BIOS had.

I can't give you any specific information about BIOS/UEFI setup because every model motherboard has a different way of doing things. What I can give you is some more generalized information.

When you think about BIOS/UEFI security, you might be thinking about disabling the ability to boot from anything other than the normal system drive. In the following screenshot, you can see that I've disabled all SATA drive ports except for the one the system drive is connected to:

When computers are out in the open where the general public can have easy physical access to them, this might be a consideration. For servers that are locked away in their own secure room with limited access, there's no real reason to worry about this, unless the security requirements of some regulatory body dictate otherwise. For machines that are out in the open, having whole disk encrypted would prevent someone from stealing data after booting from either an optical disk or a USB device. However, you may still have other reasons to prevent anyone from booting the machine from these alternate boot devices. 

Another consideration might be if you work in a secure environment where supersensitive data is handled. If you're worried about unauthorized exfiltration of sensitive data, you might consider disabling the ability to write to USB devices. This will also prevent people from booting the machine from USB devices:

However, there's more than just this to BIOS/UEFI security. Today's modern server CPUs come with a variety of security features to help prevent data breaches. For example, let's look at a list of security features that are implemented in Intel Xeon CPUs:

• Identity-protection technology
• Advanced Encryption Standard New Instructions
• Trusted Execution Technology
• Hardware-assisted virtualization technology

AMD, that plucky underdog in the CPU market, have their own new security features in their new line of EPYC server CPUs. These features include the following:

• Secure Memory Encryption
• Secure Encrypted Virtualization

In any case, you would configure these CPU security options in your server's UEFI setup utility.

And of course, for any machines that are out in the open, it's a good idea to password-protect the BIOS or UEFI:

If for no other reason, do it to keep people from monkeying around with your settings.

Now that you know a bit about locking down BIOS/UEFI, let's talk about security checklists.