•Change the boot sequence. The hard disk must be the first boot device. Change the boot sequence in the BIOS so that the computer does not boot from the floppy, USB drive or CD-ROM. If the hard disk is not the first boot device, someone can use a bootable CD or USB Flash Drive to directly access the hard disk drive.

•Protect the BIOS with a password. The password should be set to the BIOS so only an authorized person can make changes there. If the BIOS is not password protected, someone can change the boot sequence and use a bootable CD, floppy or USB Flash Drive (see above).

•Seal computer cases and chassis. Protect the hardware with a seal. Otherwise, it is possible to plug an external boot device directly to the computer and access the hard disk. Moreover, if someone can physically access the motherboard, it is very easy to locate the CMOS reset jumper and clear the BIOS password (see above).

•Do not give administrator rights to regular users. Regular local users should not be members of the local Administrators group. It is not a good practice to grant users administrative rights to their computers.

•Remove the Windows Recovery Environment/Recovery Console. By using Windows Recovery Environment on a local computer, anyone can restart the computer in recovery mode and work around all security measures, including disabling DeviceLock Service (however, this requires the local administrator password). For this reason, we recommend preventing the use of Windows Recovery Environment by regular users. System recovery options are described in Microsoft’s article at support.microsoft.com/en-us/kb/307654. For information about Windows Recovery Environment, see Microsoft’s article at msdn.microsoft.com/en-us/dn938364.