Lesson 8 A Configure Workstation Security Flashcards
Password Rules
The following rules are easy for users to apply and make passwords more difficult to crack:
- Make the password sufficiently long—12+ character length is suitable for an ordinary user account. Administrative accounts should have longer passwords.
- Choose a memorable phrase, but do not use any personal information—Anything that a threat actor could discover or guess should not be used in a password. This includes things such as significant dates, family names, username, job title, company name, pet name, quotations, and song lyrics.
Some password policies impose complexity requirements beyond minimum length. Rules might specify that the password must contain a given mix of character types: uppercase and lowercase letters, numbers, and symbols. A password policy may have an expiration requirement , which means that the user must change the password after a set period.
Character complexity and expiration are deprecated by some standards bodies. These rules can make it harder for users to select good passwords and encourage poor practice, such as writing the password down.
BIOS/UEFI Passwords
A system user password is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS ) or unified extensible firmware interface (UEFI) setup program. This type of firmware-configured password is shared by all users and consequently is very rarely used. It might be used to provide extra security on a standalone computer that does not often require interactive logon, such as a computer used to manage embedded systems. A PC with UEFI firmware may support pre-boot authentication. This means that the system loads an authentication application to contact an authentication server on the network and allows the user to submit the credentials for a particular account.
Good password practice should be supplemented with secure use of the workstation. Some key principles are as follows:
Log off when not in use—A lunchtime attack is where a threat actor is able to access a computer that has been left unlocked. Policies can configure screensavers that lock the desktop after a period of inactivity. Users should not depend on these, however. In Windows, START+L locks the desktop. Users must develop the habit of doing this each time they leave a computer unattended.
Secure/protect critical hardware (such as laptops)—Users must also be alert to the risk of physical theft of devices. Portable computers can be secured to a desk using a cable lock. When in public, users must keep laptop cases in sight.
Secure personally identifiable information (PII) and passwords—Paper copies of personal and confidential data must not be left where they could be read or stolen. A clean desk policy ensures that all such information is not left in plain sight. Also, this type of information should not be entered into unprotected plain text files, word processing documents, or spreadsheets.
Account management policies are used
to determine what rights and privileges each employee should be assigned. These policies should be guided by the principle of least privilege.
An OS’s access control system assigns two types of permissions to a user account:
- File permissions control whether a user can read or modify a data file or folder, either on the local PC or across the network. Configuring file permissions is the responsibility of the data owner or file server administrator.
- Rights or privileges control what system configuration changes a user can make to a PC. Configuring rights is the responsibility of the network owner.
Some networks have complex requirements for assigning rights, but the basic principle is that the number of accounts with administrator/superuser privileges should be as few as possible. These highly privileged accounts should be further protected by features such as UAC and sudo. For both file permissions and rights, a system of least privilege will be most effective in reducing risk.
Change Default Administrator Account and Password
The root or superuser in Linux or the Administrator user account in Windows is the default system owner. These default accounts have no practical limitations and consequently are the ultimate target for threat actors. In many cases, these default accounts are disabled during the OS installation and their privileges exercised by named administrator accounts using tools such as UAC and sudo.
If the default administrator account cannot be disabled, it must never be left configured with a default password. The new password must be treated with highest level of security available. Ideally, the password should be known by a limited number of people. Sharing administrative passwords is a security risk.
Any use of the default administrator account must be logged and accounted for. Using this account for sign-in should be an unusual event that generates an alert.
Disable Guest Account
A guest account allows unauthenticated access to the computer and may provide some sort of network access too. In current versions of Windows, the Guest account is disabled by default and cannot be used to sign-in. It is only enabled to facilitate passwordless file sharing in a Windows workgroup. You should monitor other operating systems and features such as guest Wi-Fi and disable them if they do not comply with security policies.
Restrict login times
This is typically used to prevent an account from logging in at an unusual time of the day or night or during the weekend. Periodically, the server checks whether the user has the right to continue using the network. If the user does not have the right, then an automatic logout procedure commences.
Failed attempts lockout
This specifies a maximum number of incorrect sign-in attempts within a certain period. Once the maximum number of incorrect attempts has been reached, the account will be disabled. This mitigates the risk of threat actors gaining system access using lists of possible passwords.
Concurrent logins
This sets a limit to the number of simultaneous sessions a user can open. Most users should only need to sign-in to one computer at a time, so this sort of policy can help to prevent or detect misuse of an account.
Use timeout/screen lock
This locks the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection. However, users should not rely on this and must lock the computer manually when leaving it unattended
If a user account violates a security policy, such as an incorrect password being entered repeatedly,
it may be locked against further use. The account will be inaccessible until it is unlocked by setting the option in the Properties dialog box on the Account tab.
If a user forgets a password
you can reset it by right-clicking the account and selecting Reset Password.
Execution control
Authentication and authorization policies give subjects the right to sign-on to a computer and network and (potentially) to make changes to the system configuration. This places a certain amount of trust in the user to exercise those rights responsibly. Users can act maliciously, though, or could be tricked into an adverse action. Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow. Execution control can establish a security system that does not entirely depend on the good behavior of individual users.
Trusted/Untrusted Software Sources
To prevent the spread of malware such as Trojans, it is necessary to restrict the ability of users to run unapproved program code, especially code that can modify the OS, such as an application installer. Windows uses the system of Administrator and Standard user accounts, along with User Account Control (UAC) and system policies, to enforce these restrictions.
Developers of Windows applications can use digital certificates to perform code signing and prove the authenticity and integrity of an installer package. Linux also prompts when you attempt to install untrusted software. Software is signed with a cryptographic key. Packages need the public key for the repository to install the software. When prompted that you are installing untrusted software, you can either respond that you want to install it anyway or cancel the installation.
Mobile OS vendors use this “walled garden” model of software distribution as well. Apps are distributed from an approved store, such as Apple’s App Store or the Windows Store. The vendor’s store policies and procedures are supposed to prevent any Trojan-like apps from being published.
There are also third-party network management suites to enforce application control. This means configuring blocklists of unapproved software (allowing anything else) or allowlists of approved software (denying anything else).
AutoRun and AutoPlay
One of the problems with legacy versions of Windows is that when an optical disc is inserted or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file stored in the root of the drive. A typical autorun.inf would define an icon for a disk and the path to a setup file. This could lead to malware being able to install itself automatically.
In modern versions of Windows, an AutoPlay dialog box is shown, prompting the user to take a particular action. AutoPlay settings can be configured via a drive’s property dialog box. Also, UAC will require the user to explicitly allow any executable code to run. There is a Windows Settings page to configure default AutoPlay actions.
Even with UAC and execution control, there are still plenty of ways for malware to install onto a PC
A program might use particularly effective social engineering techniques to persuade the user to bypass the normal checks. The malware might exploit a vulnerability to execute without explicit consent. Malware might also not need to install itself to achieve threat-actor objectives, such as exfiltrating data, weakening the system configuration, or snooping around the network.
Antivirus (A-V)
is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns. Another technique is to use heuristic identification. “Heuristic” means that the software uses knowledge of the sort of things that viruses do to try to spot (and block) virus-like behavior. Most antivirus software is better described as anti-malware, as it can detect software threats that are not technically virus-like, including spyware, Trojans, rootkits, ransomware, and cryptominers.
Windows Defender Antivirus
The broad range of threats posed by different types of malware and vulnerability exploits means that an anti-malware software solution is a critical component of workstation security. Windows Defender Antivirus is a core component of all Windows editions. Windows Defender Antivirus is managed via the Windows Security Center.
Windows Defender Antivirus Updated Definitions
It is particularly important that antivirus software be updated regularly. Two types of updates are generally necessary:
Definition/pattern updates are information about new viruses or malware. These updates may be made available daily or even hourly.
Scan engine/component updates fix problems or make improvements to the scan software itself.
For Windows Defender Antivirus, these definitions and patches are delivered via Windows Update. Third-party software might also integrate its updates with Windows Update, or it might use its own updater.
Activating and Deactivating Windows Defender Antivirus
The nature of malware means that there should be no simple means of deactivating an antivirus product, or the malware could easily circumvent it. Defender Antivirus can be disabled temporarily by toggling the Real-time protection button. It will re-activate itself after a short period.
If a third-party antivirus product is installed, it will replace Windows Defender Antivirus. It can also be permanently disabled via group policy.
It might be necessary to exclude folders from scanning. For example, scanning the disk images of virtual machines can cause performance problems. Also, some legitimate software or development code can trigger false-positive alerts. Folders containing this type of data can be excluded from scanning.
It is important to check the status of the antivirus product regularly to ensure that it is activated and up to date.
WINDOWS DEFENDER FIREWALL
Where the antivirus product protects against threats in the file system, Windows Defender Firewall implements a personal/host firewall to filter inbound and outbound network traffic. The basic Settings app interface allows you to activate or deactivate the firewall for a given network profile and to add exceptions that allow a process to accept inbound connections.
The Windows Defender Firewall with Advanced Security console allows configuration of custom inbound and outbound filtering rules. For each profile type, the default inbound and outbound policy can be set to block or allow. Each rule can be configured as a block or allow action to override the default policy for trigger ports, applications, and/or addresses:
Port security triggers
are based on the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number used by the application protocol. For example, blocking TCP/80 prevents clients from connecting to the default port for a web server.
Application security
triggers are based on the process that listens for connections.
