2.6 - Security Best Practices

Question 1

Data encryption

Answer 1

• Full-disk encryption
  – Encrypt data-at-rest
• File system encryption
  – Individual files and folders
• Removable media
  – Protect those USB flash drives
• Key backups are critical
  – You always need to have a copy
  – This may be integrated into Active Directory
  – You’ll want to keep the key handy

Question 2

Password complexity and length

Answer 2

• Make your password strong
  – Resist guessing or brute-force attack
• Increase password entropy
  – No single words, no obvious passwords
  – Mix upper and lower case and use special characters
• Stronger passwords are at least 8 characters
  – Consider a phrase or set of words

Question 3

Password expiration and recovery

Answer 3

• All passwords should expire
  – Change every 30 days, 60 days, 90 days
  – System remembers password history,
  requires unique passwords
• Critical systems might change more frequently
  – Every 15 days or every week
• The recovery process should not be trivial!
  – Some organizations have a very formal process

Question 4

Password best practices

Answer 4

• Changing default usernames/passwords
  – All devices have defaults
  – There are many web sites that document these
• BIOS/UEFI passwords
  – Supervisor/Administrator password:
  Prevent BIOS changes
  – User password: Prevent booting
• Requiring passwords
  – Always require passwords
  – No blank passwords
  – No automated logins

Question 5

End-user best practices

Answer 5

• Require a screensaver password
  – Integrate with login credentials
  – Can be administratively enforced
• Does not require user intervention
  – Automatically locks after non-use or timeout
• Secure critical hardware
  – Laptops can easily walk away -
  – Lock them down

Question 6

Securing PII and passwords

Answer 6

• Personally identifiable information
  – Name, address, social security number, etc.
• Control your input
  – Be aware of your surroundings
• Use privacy filters
  – It’s amazing how well they work
• Keep your monitor out of sight
  – Away from windows and hallways

Question 7

Account management

Answer 7

• User permissions
  – Everyone isn’t an Administrator
  – Assign proper rights and permissions
  – This may be an involved audit
• Assign rights based on groups
  – More difficult to manage per-user rights
  – Becomes more useful as you grow
• Login time restrictions
  – Only login during working hours
  – Restrict after-hours activities

Question 8

Disabling unnecessary accounts

Answer 8

• All operating systems include other accounts
  – Guest, root, mail, etc.
• Not all accounts are necessary
  – Disable/remove the unnecessary
  – Disable the guest account
• Disable interactive logins
  – Not all accounts need to login
• Change the default usernames
  – User:admin Password:admin
  – Helps with brute-force attacks

Question 9

Locking the desktop

Answer 9

• Failed password attempts
  – Should lock the account and/or reboot after
  a certain threshold
  – Prevents online brute force attacks
• Automatically lock the system
  – After a certain amount of inactivity
  – Or when you walk away

Question 10

AutoRun and AutoPlay

Answer 10

• Disable AutoRun on older OSes
  – autorun.inf in Vista
  – No Autorun in Windows 7, 8/8.1, 10, or 11
  – Disabled through the registry
• Disable AutoPlay
  – Configure in Settings >
  Bluetooth & devices >
  AutoPlay
• Get the latest security patches
  – Updates to autorun.inf and AutoPlay