Lesson 8 A Configure Workstation Security

Question 1

Password Rules

Answer 1

The following rules are easy for users to apply and make passwords more difficult to crack:

• Make the password sufficiently long—12+ character length is suitable for an ordinary user account. Administrative accounts should have longer passwords.
• Choose a memorable phrase, but do not use any personal information—Anything that a threat actor could discover or guess should not be used in a password. This includes things such as significant dates, family names, username, job title, company name, pet name, quotations, and song lyrics.
  Some password policies impose complexity requirements beyond minimum length. Rules might specify that the password must contain a given mix of character types: uppercase and lowercase letters, numbers, and symbols. A password policy may have an expiration requirement , which means that the user must change the password after a set period.
  Character complexity and expiration are deprecated by some standards bodies. These rules can make it harder for users to select good passwords and encourage poor practice, such as writing the password down.

Question 2

BIOS/UEFI Passwords

Answer 2

A system user password is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS ) or unified extensible firmware interface (UEFI) setup program. This type of firmware-configured password is shared by all users and consequently is very rarely used. It might be used to provide extra security on a standalone computer that does not often require interactive logon, such as a computer used to manage embedded systems. A PC with UEFI firmware may support pre-boot authentication. This means that the system loads an authentication application to contact an authentication server on the network and allows the user to submit the credentials for a particular account.

Question 3

Good password practice should be supplemented with secure use of the workstation. Some key principles are as follows:

Answer 3

Log off when not in use—A lunchtime attack is where a threat actor is able to access a computer that has been left unlocked. Policies can configure screensavers that lock the desktop after a period of inactivity. Users should not depend on these, however. In Windows, START+L locks the desktop. Users must develop the habit of doing this each time they leave a computer unattended.
Secure/protect critical hardware (such as laptops)—Users must also be alert to the risk of physical theft of devices. Portable computers can be secured to a desk using a cable lock. When in public, users must keep laptop cases in sight.
Secure personally identifiable information (PII) and passwords—Paper copies of personal and confidential data must not be left where they could be read or stolen. A clean desk policy ensures that all such information is not left in plain sight. Also, this type of information should not be entered into unprotected plain text files, word processing documents, or spreadsheets.

Question 4

Account management policies are used

Answer 4

to determine what rights and privileges each employee should be assigned. These policies should be guided by the principle of least privilege.

Question 5

An OS’s access control system assigns two types of permissions to a user account:

Answer 5

• File permissions control whether a user can read or modify a data file or folder, either on the local PC or across the network. Configuring file permissions is the responsibility of the data owner or file server administrator.
• Rights or privileges control what system configuration changes a user can make to a PC. Configuring rights is the responsibility of the network owner.
  Some networks have complex requirements for assigning rights, but the basic principle is that the number of accounts with administrator/superuser privileges should be as few as possible. These highly privileged accounts should be further protected by features such as UAC and sudo. For both file permissions and rights, a system of least privilege will be most effective in reducing risk.

Question 6

Change Default Administrator Account and Password

Answer 6

The root or superuser in Linux or the Administrator user account in Windows is the default system owner. These default accounts have no practical limitations and consequently are the ultimate target for threat actors. In many cases, these default accounts are disabled during the OS installation and their privileges exercised by named administrator accounts using tools such as UAC and sudo.

If the default administrator account cannot be disabled, it must never be left configured with a default password. The new password must be treated with highest level of security available. Ideally, the password should be known by a limited number of people. Sharing administrative passwords is a security risk.

Any use of the default administrator account must be logged and accounted for. Using this account for sign-in should be an unusual event that generates an alert.

Question 7

Disable Guest Account

Answer 7

A guest account allows unauthenticated access to the computer and may provide some sort of network access too. In current versions of Windows, the Guest account is disabled by default and cannot be used to sign-in. It is only enabled to facilitate passwordless file sharing in a Windows workgroup. You should monitor other operating systems and features such as guest Wi-Fi and disable them if they do not comply with security policies.

Question 8

Restrict login times

Answer 8

This is typically used to prevent an account from logging in at an unusual time of the day or night or during the weekend. Periodically, the server checks whether the user has the right to continue using the network. If the user does not have the right, then an automatic logout procedure commences.

Question 9

Failed attempts lockout

Answer 9

This specifies a maximum number of incorrect sign-in attempts within a certain period. Once the maximum number of incorrect attempts has been reached, the account will be disabled. This mitigates the risk of threat actors gaining system access using lists of possible passwords.

Question 10

Concurrent logins

Answer 10

This sets a limit to the number of simultaneous sessions a user can open. Most users should only need to sign-in to one computer at a time, so this sort of policy can help to prevent or detect misuse of an account.

Question 11

Use timeout/screen lock

Answer 11

This locks the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection. However, users should not rely on this and must lock the computer manually when leaving it unattended

Question 12

If a user account violates a security policy, such as an incorrect password being entered repeatedly,

Answer 12

it may be locked against further use. The account will be inaccessible until it is unlocked by setting the option in the Properties dialog box on the Account tab.

Question 13

If a user forgets a password

Answer 13

you can reset it by right-clicking the account and selecting Reset Password.

Question 14

Execution control

Answer 14

Authentication and authorization policies give subjects the right to sign-on to a computer and network and (potentially) to make changes to the system configuration. This places a certain amount of trust in the user to exercise those rights responsibly. Users can act maliciously, though, or could be tricked into an adverse action. Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow. Execution control can establish a security system that does not entirely depend on the good behavior of individual users.

Question 15

Trusted/Untrusted Software Sources

Answer 15

To prevent the spread of malware such as Trojans, it is necessary to restrict the ability of users to run unapproved program code, especially code that can modify the OS, such as an application installer. Windows uses the system of Administrator and Standard user accounts, along with User Account Control (UAC) and system policies, to enforce these restrictions.

Developers of Windows applications can use digital certificates to perform code signing and prove the authenticity and integrity of an installer package. Linux also prompts when you attempt to install untrusted software. Software is signed with a cryptographic key. Packages need the public key for the repository to install the software. When prompted that you are installing untrusted software, you can either respond that you want to install it anyway or cancel the installation.

Mobile OS vendors use this “walled garden” model of software distribution as well. Apps are distributed from an approved store, such as Apple’s App Store or the Windows Store. The vendor’s store policies and procedures are supposed to prevent any Trojan-like apps from being published.

There are also third-party network management suites to enforce application control. This means configuring blocklists of unapproved software (allowing anything else) or allowlists of approved software (denying anything else).

Question 16

AutoRun and AutoPlay

Answer 16

One of the problems with legacy versions of Windows is that when an optical disc is inserted or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file stored in the root of the drive. A typical autorun.inf would define an icon for a disk and the path to a setup file. This could lead to malware being able to install itself automatically.

In modern versions of Windows, an AutoPlay dialog box is shown, prompting the user to take a particular action. AutoPlay settings can be configured via a drive’s property dialog box. Also, UAC will require the user to explicitly allow any executable code to run. There is a Windows Settings page to configure default AutoPlay actions.

Question 17

Even with UAC and execution control, there are still plenty of ways for malware to install onto a PC

Answer 17

A program might use particularly effective social engineering techniques to persuade the user to bypass the normal checks. The malware might exploit a vulnerability to execute without explicit consent. Malware might also not need to install itself to achieve threat-actor objectives, such as exfiltrating data, weakening the system configuration, or snooping around the network.

Question 18

Antivirus (A-V)

Answer 18

is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns. Another technique is to use heuristic identification. “Heuristic” means that the software uses knowledge of the sort of things that viruses do to try to spot (and block) virus-like behavior. Most antivirus software is better described as anti-malware, as it can detect software threats that are not technically virus-like, including spyware, Trojans, rootkits, ransomware, and cryptominers.

Question 19

Windows Defender Antivirus

Answer 19

The broad range of threats posed by different types of malware and vulnerability exploits means that an anti-malware software solution is a critical component of workstation security. Windows Defender Antivirus is a core component of all Windows editions. Windows Defender Antivirus is managed via the Windows Security Center.

Question 20

Windows Defender Antivirus Updated Definitions
It is particularly important that antivirus software be updated regularly. Two types of updates are generally necessary:

Answer 20

Definition/pattern updates are information about new viruses or malware. These updates may be made available daily or even hourly.
Scan engine/component updates fix problems or make improvements to the scan software itself.
For Windows Defender Antivirus, these definitions and patches are delivered via Windows Update. Third-party software might also integrate its updates with Windows Update, or it might use its own updater.

Question 21

Activating and Deactivating Windows Defender Antivirus

Answer 21

The nature of malware means that there should be no simple means of deactivating an antivirus product, or the malware could easily circumvent it. Defender Antivirus can be disabled temporarily by toggling the Real-time protection button. It will re-activate itself after a short period.

If a third-party antivirus product is installed, it will replace Windows Defender Antivirus. It can also be permanently disabled via group policy.
It might be necessary to exclude folders from scanning. For example, scanning the disk images of virtual machines can cause performance problems. Also, some legitimate software or development code can trigger false-positive alerts. Folders containing this type of data can be excluded from scanning.

It is important to check the status of the antivirus product regularly to ensure that it is activated and up to date.

Question 22

WINDOWS DEFENDER FIREWALL

Answer 22

Where the antivirus product protects against threats in the file system, Windows Defender Firewall implements a personal/host firewall to filter inbound and outbound network traffic. The basic Settings app interface allows you to activate or deactivate the firewall for a given network profile and to add exceptions that allow a process to accept inbound connections.

The Windows Defender Firewall with Advanced Security console allows configuration of custom inbound and outbound filtering rules. For each profile type, the default inbound and outbound policy can be set to block or allow. Each rule can be configured as a block or allow action to override the default policy for trigger ports, applications, and/or addresses:

Question 23

Port security triggers

Answer 23

are based on the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number used by the application protocol. For example, blocking TCP/80 prevents clients from connecting to the default port for a web server.

Question 24

Application security

Answer 24

triggers are based on the process that listens for connections.

Question 25

Address triggers

Answer 25

are based on the IP or FQDN of the server or client hosts.

Question 26

The Advanced Firewall can be configured through

Answer 26

group policy on a domain. On a standalone PC or workgroup, open the wf.msc management console. On the status page, you can click Windows Defender Firewall properties to configure each profile. The firewall can be turned on or off, and you can switch the default policy for inbound and outbound traffic between Block and Allow .
From the main Advanced Firewall console, you enable, disable, and configure rules by selecting in the Inbound Rules or Outbound Rules folder as appropriate.

Question 27

When data is hosted on a file system, it can be protected by

Answer 27

the operating system’s security model. Each file or folder can be configured with an access control list (ACL), describing the permissions that principals have on the file. These permissions are enforced only when the OS mediates access to the device. If the disk is exposed to a different OS, the permissions could be overridden. Data on persistent storage—HDDs, SSDs, and thumb drives—is referred to as data-at-rest. To protect data-at-rest against these risks, the information stored on a disk can be encrypted.

Question 28

Encrypting File System (EFS)

Answer 28

One approach to protecting file system data is to apply encryption to individual files or folders. The Encrypting File System (EFS) feature of NTFS supports file and folder encryption. EFS is not available in the Home edition of Windows.

To apply encryption, open the file’s or folder’s property sheet and select the Advanced button. Check the Encrypt contents box, then confirm the dialogs.
Folders and files that have been encrypted can be shown with green color coding in Explorer. Any user other than the one who encrypted the file will receive an “Access Denied” error when trying to browse, copy, or print the file.

Without strong authentication, encrypted data is only as secure as the user account password. If the password can be compromised, then so can the data. The user’s password grants access to the key that performs the file encryption and decryption. There is also the chance of data loss if the key is lost or damaged. This can happen if the user’s profile is damaged, if the user’s password is reset by an administrator, or if Windows is reinstalled. It is possible to back up the key or (on a Windows domain) to set up recovery agents with the ability to decrypt data.

Question 29

full disk encryption (FDE)

Answer 29

An alternative to file encryption is to use a full disk encryption (FDE) product. The Windows BitLocker disk encryption product is available with all editions of Windows except for the Home edition.

Full disk encryption carries a processing overhead, but modern computers usually have processing capacity to spare. The main advantage is that it does not depend on the user to remember to encrypt data. Disk encryption also encrypts the swap file, print queues, temporary files, and so on.
BitLocker can be used with any volumes on fixed (internal) drives. It can also be used with removable drives in its BitLocker To Go form.

When the data is encrypted, the user must have access to the encryption key to access it. BitLocker can make use of a trusted platform module (TPM) chip in the computer to tie use of a fixed disk to a particular motherboard. The TPM is used as a secure means of storing the encryption key and to ensure the integrity of the OS used to boot the machine. Alternatively, the key could be stored on a removable smart card or on a USB stick. The computer’s firmware must support booting from USB for the last option to work.
During BitLocker setup, a recovery key is also generated. This should be stored on removable media (or written down) and stored securely (and separately from the computer). This key can be used to recover the encrypted drive if the startup key is lost.