So a booting system with UEFI has the potential to cripple itself, and manufacturers do by and large.

How is that 'the greatest thing since sliced bread'? :-)

Well, when you are tasked with maintaining a large rack of "bare" computers, you instantly realize the deficiencies of BIOS and the need for a more sophisticated firmware layer.

One of the things that is of very legitimate concern to you is the not-to be-trusted late night operator with a USB stick in his pocket, who could use that stick to reboot a server into the operating system of his own choosing, thereby sidestepping your system's security controls completely. There was also the general problem of unauthorized modifications being introduced without your knowledge. ("There are five hundred servers in there ... which one is it?")

Agreed. We have both experienced poor bios.

Disenchanted or malicious employees are a legitimate source of concern in any organization. I'm a home user. Nobody is going to come in and hack my pc. I resent UEFI hugely. Fine for servers.

In my opinion, that's not a legitimate security concern. If someone has physical access to the machine, it's 'game over' anyway. In order to disable the secure boot, they need the supervisor password for the UEFI. But you can password protect traditional BIOS in the same way and disable all of the USB ports and/or boot selection menu and booting from any other devices. In either case - get the password and it's all the same.

They could also just pull the hard disk, clone it, boot it on a different machine / chroot it, do what you like to the system then swap it out when convenient. The fact remains if they have physical access there's not much the can't do - secure boot or not.

Also in many cases, with physical access and the ability to reboot, power off and boot up a server, then can just boot in single user mode...

Physically securing the server is paramount.

FINALLY!

Latest on this is that i am on windows 8.1 Pro, with. I did find a cdrom of my own making with windpows-8.1 pro, but my version has no udf driver. I am formatting, shredding, and otherwise deleting that windows. I will install something, I suppose. The value of the disk has slipped below zero with windows on it.

Now, the real story has finally come out. Congenital Incompatibility.

1. The Windows 8 -->8.1 install seems congenitally knackered and has been deleted.I never had anything but grief from it.
2. The laptop bios is congenitally incapable of reading UDF disks, so I can't boot any install iso, as they're all on UDF
3. The windows downloads are udf filesystems within an iso.
4. Taking one out of the iso, copyoing all files but it failed to boot
5. I have the windows 7 & 8.1 on hard disk atm but they're useless if they won't boot
6. That leaves possibilities in VMs and pxe booting.

It explains why I had such issues. Linux reads UDF, even windows reads them ,but that sticks me in the labyrinthine windows update dead end, because & because, and in fact I don't care.

Hehe... finally sorted, and some administrator can mark this solved.

Stuck in bed today. I took with me the empty 698G disk, Windows Vista, and my old HP laptop. I Installed Vista - 20 Gigs only, and no queries about product keys. Turn off user account control and all eye candy, resort to 'Classic View' and you're sorted. Windows 7 hesitates to update it because it feels inadequate being 32 bit on a 64 bit system. Windows 8.1 I haven't bothered with.

I think I'll wire it in when I need internet, and keep it off wifi if I can. It only starts arguments when you let windoze online - it's not grown up enough for that. The beauty of it is that it's got no EFI, as the HP has no support. It will get a shock waking up in the Samsung tomorrow, but should boot as a legacy OS.

When you decide to try EFI again, try using reFIND to handle the multi-booting.

Have you a link for that?

My experience with UEFI was horrible. Nothing worked. If you have gdisk format (which I had), the BIOS says "This is UEFI". No distro handled uefi in 2012 when I bought the box, although some preliminary efforts were online. I tried them; they all failed, and window sat down until I repaired the boot.

So I threw in an ssd, which was fdisk formatted, disabled secure boot and set for "UEFI and Legacy OS" booting, and used my laptop. It's a home laptop, for heaven's sake, not some 24/7 ultra secure mission critical server with a paranoid sysadmin where you need a phd and security clearance to get user nobody's password.