Security Best Practices

Question 1

Password Complexity & Length

Answer 1

• Make your password long
• Mix upper and lower case
• Use special characters
• Should be at least 8 characters
• Set password expiration , require change
  
  • System remember password history , require unique password

Question 2

Password Expiration & Recovery

Answer 2

• All passwords should expire
  
  • Change every 30 , 60 , 90 days
• Critical systems might change more frequently
  
  • Every 15 days or every week
• The recovery process should not be trivial
  
  • Some organizations have a very formal process

Question 3

Desktop Security

Answer 3

• Requires a screensaver password
  
  • Integrate with login credentials
  • Can be administratively enforced
  • Automatically lock after a timeout
• Diable autorun
  
  • autorun.inf in Vista (not in Windows 7 or 8 / 8.1)
  • Disabled through registry
• Consider changing Autoplay
  
  • Get the latest security patches

Question 4

Password Best Practices

Answer 4

• Changing default username / password
  
  • All devices have defaults
  • Many websites document these specifically
• BIOS / UEFI Password
  
  • Supervisor / Administrator password : prevent BIOS changes
  • User password : Prevent Booting
• Requiring passwords
  
  • Always require password
  • No blank passwords / no automated logins

Question 5

Restricting User Permissions

Answer 5

• User permissions
  
  • Assign proper rights & permissions
  • This may be an involved audit
• Assign rights based on groups
  
  • More difficult to manage per-user / rights
  • More useful as company grows
• Login time restrictions
  
  • Only during working hours
  • Restrict after-hours activities

Question 6

Disabling Unnecessary Accounts

Answer 6

• All operating systems include other accounts
  
  • guest , root , mail , etc
• Not all accounts are necessary
  
  • Disable / remove the unnecessary
  • Disable the great account
• Disable interactive logins
  
  • Not all accounts need to login

Question 7

Account Lockout & Disablement

Answer 7

• Too many bad password will cause lockout
  
  • Should be normal for most users
  • Can cause big issues for services accounts
• Disable user accounts
  
  • Part of the normal change process
  • You don’t want to delete accounts
    - Not initially

Question 8

Data Encryptions

Answer 8

• Full-disk encryption
  
  • Encrypt the entire drive
• File system encryption
  
  • Individual files and folders

-Removable media

• Key backups are critical
  
  • Always need copy / may be integrated into Active Directory

Question 9

Patch & Update Management

Answer 9

• Keep OS & application updated
  
  • Security & stability improvements
• Built into the Operating System
  
  • Updates are deployed as available
  • Deployment may be managed internally
• Many applications include their own update
• Always stay up to date