2.7 Given a scenario, implement security best practices to secure a workstation.

Question 1

• Password best practices

Answer 1

Password best practices • Changing default usernames/passwords • All devices have defaults • There are many web sites that document these

• BIOS/UEFI passwords • Supervisor/Administrator password: Prevent BIOS changes
• User password: Prevent booting • Requiring passwords - Always require passwords
• No blank passwords or automated logins

Question 2

• Setting strong passwords

Answer 2

Password complexity and length • Make your password strong • No single words

• No obvious passwords • What’s the name of your dog? • Mix upper and lower case • Use special characters
• Don’t replace a o with a 0, t with a 7 • A strong password is at least 8 characters • Consider a phrase or set of words
• Set password expiration, require change • System remembers password history, requires unique passwords

Question 3

• Password expiration

Answer 3

Password expiration and recovery • All passwords should expire • Change every 30 days, 60 days, 90 days

• Critical systems might change more frequently • Every 15 days or every week • The recovery process should not be trivial!
• Some organizations have a very formal process

Question 4

• Screensaver required password/Screensaver password lock.

Answer 4

Require a screensaver password • Integrate with login credentials • Can be administratively enforced

• Automatically lock after a timeout TO PREVENT unauthorized access.

This can be prevented by enabling a screensaver password. In this case, a system is set to activate the screensaver after 5-10 minutes of inactivity, after that period the system cannot be accessed without authentication in the form of a password.

Question 5

• BIOS/UEFI passwords

Answer 5

BIOS/UEFI passwords are a fundamental line of defense if you have a PC that is unsupervised or in a compromising location. There are two forms of password protection available in the system

BIOS/UEFI: User password and Supervisor password.

The User password allows machine access and enables the user to view but not change any settings in the BIOS/UEFI.

The Supervisor password is necessary to make changes in the BIOS/UEFI.

Question 6

• Requiring passwords

Answer 6

Organizations require passwords in order to access devices and data on their network. Local machines can manage password requirements in the Account settings (in the Group Policy Editor) for all accounts, as you will see.

Question 7

• Account management

Answer 7

In the Windows environment, accounts can be managed using several ways. In a business environment, Active Directory is used to manage both users and devices.

On a local machine, three options are available. First, Control Panel > Users and Groups can be used to add or delete users, change passwords, and elevate a standard user to an administrator or vice versa.

Question 8

• Restricting user permissions

Answer 8

The PoLP (Principle of Least Privilege) should always be observed when assigning or restricting user accounts. Please ensure that the user has functionality suitable for their job description without exceeding it.

Question 9

• Logon time restrictions

Answer 9

Restricting login hours for a user or group is a recommended way to prohibit unauthorized access. Since these restrictions are generally assigned to a user group, it is important to review the group membership in order to determine if any group members require access outside normal business hours.

Question 10

• Disabling guest account

Answer 10

Windows default “guest account” Since the name of the guest account is widely known, it’s targeted for attacks.

All members of the guest group have privileges equivalent to the guest account. In practice, it makes sense to disable the guest account.

Question 11

• Failed attempts lockout

Answer 11

Group policy settings allow an administrator to set the number of incorrect password attempts before the account is locked. The duration of the lockout can also be set by the administrator and is variable.

Question 12

• Timeout/screen lock

Answer 12

The Screensaver can be set to increase security by accessing the Screensaver Properties and selecting “On resume, display logon screen” as shown below.

Question 13

user account/password

Answer 13

Password management is a very common way for users to get locked out of their accounts. Several incorrect login attempts will lock the account, requiring the admin to unlock it. If the user is sure they know the password and got locked by accident, often the issue can be traced to Num Lock or Caps Lock. Accounts can be unlocked using the User Properties Tools tab as shown below.

Question 14

• Basic Active Directory functions

Answer 14

Active Directory (AD) describes a collection of services and related databases in Windows Server that can be used to control access to the Domains and the activities permitted.

Has 5 services / these services work together to organize the AD hierarchal structure from the top down.

Active Directory creates a forest consisting of all resources of a particular entity, such as a company or school, organized at the highest level.

Question 15

• Account creation

Answer 15

Computer and user accounts are created and deleted using the Active Directory Users and Computers snap -in found on the Server Manager Tools menu shown above. A new user account can be created by right-clicking Users in the left pane and choosing New.

Question 16

• Account deletion

Answer 16

Disable is a better practice than delete the account

Question 17

• Password reset/unlock account

Answer 17

If the user has forgotten their password, it will need to be reset. Close the properties, right-click the user, and choose Reset Password. A small Reset Password dialog (inset) will open where a one-time password can be assigned.

The user will be required to change the password after they login.

Question 18

• Disable account

Answer 18

In Active Directory, the guest account is disabled by default. If the guest or any account needs to be disabled, right-click the user, access the Account tab of the user Properties, and check the Account is disabled box in the Account Options section.

Question 19

• Disable autorun

Answer 19

Older windows machines used to automatically run programs when a cd or usb was attached. Windows would run the autorun.inf file stored in the root of the drive.

There is an auto play feature under Control Panel Items and if you Start>Search>AutoPlay, you will be pointed to this. Make sure these are turned off.

Question 20

• Data encryption

Answer 20

Good practice is using full-disk encryption. Encrypting the entire drive is the safest regular method. You can also use file system encryption to secure individual files and folders. With regard to portable USB storage, encrypting this media is strongly recommended. Lastly, keep key backups are very important to keep handy.

Question 21

• Patch/update management

Answer 21

Always keep your systems patched and up to date. If deployment is managed automatically, configure your system to update accordingly and if it’s manual, do so regularly.