2.7 Given a scenario, implement security best practices to secure a workstation. Flashcards
• Password best practices
Password best practices • Changing default usernames/passwords • All devices have defaults • There are many web sites that document these
- BIOS/UEFI passwords • Supervisor/Administrator password: Prevent BIOS changes
- User password: Prevent booting • Requiring passwords - Always require passwords
- No blank passwords or automated logins
- Setting strong passwords
Password complexity and length • Make your password strong • No single words
- No obvious passwords • What’s the name of your dog? • Mix upper and lower case • Use special characters
- Don’t replace a o with a 0, t with a 7 • A strong password is at least 8 characters • Consider a phrase or set of words
- Set password expiration, require change • System remembers password history, requires unique passwords
- Password expiration
Password expiration and recovery • All passwords should expire • Change every 30 days, 60 days, 90 days
- Critical systems might change more frequently • Every 15 days or every week • The recovery process should not be trivial!
- Some organizations have a very formal process
- Screensaver required password/Screensaver password lock.
Require a screensaver password • Integrate with login credentials • Can be administratively enforced
• Automatically lock after a timeout TO PREVENT unauthorized access.
This can be prevented by enabling a screensaver password. In this case, a system is set to activate the screensaver after 5-10 minutes of inactivity, after that period the system cannot be accessed without authentication in the form of a password.
- BIOS/UEFI passwords
BIOS/UEFI passwords are a fundamental line of defense if you have a PC that is unsupervised or in a compromising location. There are two forms of password protection available in the system
BIOS/UEFI: User password and Supervisor password.
The User password allows machine access and enables the user to view but not change any settings in the BIOS/UEFI.
The Supervisor password is necessary to make changes in the BIOS/UEFI.
- Requiring passwords
Organizations require passwords in order to access devices and data on their network. Local machines can manage password requirements in the Account settings (in the Group Policy Editor) for all accounts, as you will see.
• Account management
In the Windows environment, accounts can be managed using several ways. In a business environment, Active Directory is used to manage both users and devices.
On a local machine, three options are available. First, Control Panel > Users and Groups can be used to add or delete users, change passwords, and elevate a standard user to an administrator or vice versa.
- Restricting user permissions
The PoLP (Principle of Least Privilege) should always be observed when assigning or restricting user accounts. Please ensure that the user has functionality suitable for their job description without exceeding it.
- Logon time restrictions
Restricting login hours for a user or group is a recommended way to prohibit unauthorized access. Since these restrictions are generally assigned to a user group, it is important to review the group membership in order to determine if any group members require access outside normal business hours.
- Disabling guest account
Windows default “guest account” Since the name of the guest account is widely known, it’s targeted for attacks.
All members of the guest group have privileges equivalent to the guest account. In practice, it makes sense to disable the guest account.
- Failed attempts lockout
Group policy settings allow an administrator to set the number of incorrect password attempts before the account is locked. The duration of the lockout can also be set by the administrator and is variable.
- Timeout/screen lock
The Screensaver can be set to increase security by accessing the Screensaver Properties and selecting “On resume, display logon screen” as shown below.
user account/password
Password management is a very common way for users to get locked out of their accounts. Several incorrect login attempts will lock the account, requiring the admin to unlock it. If the user is sure they know the password and got locked by accident, often the issue can be traced to Num Lock or Caps Lock. Accounts can be unlocked using the User Properties Tools tab as shown below.
- Basic Active Directory functions
Active Directory (AD) describes a collection of services and related databases in Windows Server that can be used to control access to the Domains and the activities permitted.
Has 5 services / these services work together to organize the AD hierarchal structure from the top down.
Active Directory creates a forest consisting of all resources of a particular entity, such as a company or school, organized at the highest level.
- Account creation
Computer and user accounts are created and deleted using the Active Directory Users and Computers snap -in found on the Server Manager Tools menu shown above. A new user account can be created by right-clicking Users in the left pane and choosing New.
