Security: configure a workstation to meet best practices for security.

Question 1

What is Data-at-rest encryption?

Answer 1

Encrypting data at rest secures files and documents, ensuring that only those with the key can access them. The files are useless to anyone else. This prevents data leakage, unauthorized access, and physical theft—unless attackers manage to compromise the key management scheme and gain access to the key.

Question 2

What are the criteria you need to consider when you are applying Password Best Practices?

Answer 2

Requiring strong passwords

Setting password expiry

Changing any default passwords

Password managers

Centralized management and enforcement

Question 3

Where can we modify the password complexity and Expiration requirements?

Answer 3

LOCAL Security Policy > Account Policies > Password Policies

On the right-details pane, notice the Password must meet complexity requirements Policy is Enabled. > Double-click the Policy.

Question 4

What is the minimum requirements for password Complexity?

Answer 4

Should not contain parts of the user’s name or user ID

Should at least be 6 characters long

Contains at least three characters from the following categories - uppercase characters, lowercase characters, numbers, and special characters.

Question 5

What is the minimum requirements for password history?

Answer 5

You can set them to 24 unique passwords until you can recycle them.

Question 6

What is the minimum requirement of Maximum age of a password?

Answer 6

Here, you can specify the period (in days) a password can be used before it can expire. The passwords can be set to expire for days between 1 and 999. If the number of days is set to 0, the password will never expire. You should set it every 40+ days depending on your company policy.

Question 7

What is the minimum requirements of Minimum Password Age?

Answer 7

Minimum should be at 1 day.This setting is used to specify the number of days a password should be used before you can change it.

Question 8

What is the minimum requirements of Password Length?

Answer 8

In this security setting, you can specify the minimum number of characters your password should contain. On standard it should be minimum 8 characters long.

Question 9

How can you configure Supervisor’s Password?

Answer 9

Will need to configure via UEFI/BIOS (so many options to get into BIOS/UEFI)

the easiest way is via system > Recovery> Advance Start up - Restart now.

Will go to the security tab or Administrator secction once into BIOS > enter the password.

Alternatively, you can use CMD command (run as administrator) > shutdown /r /fw

Question 10

How to use Failed Attempt Lockout?

Answer 10

Passwords can be cracked with attacks such as the Brute Force attacks. In order to stop someone from repeatedly attempting to guess passwords or using a script, failed attempt lockouts can be used.

Local Security Policy > Account Policies> Account lockout Policies> Double-click on Account lockout threshold Policy.

The Account lockout duration and Reset account lockout counter will be enabled automatically. The timer will be set to 30 minutes by default.

Question 11

What are the best practices for Securing End-Users Devices and Data?

Answer 11

Enable Screensaver & Screen Locks

Encrypt a Drive with BitLocker

BIOS/UEFI Password Management

Question 12

Why would we enable Screensaver & Screen Locks?

Answer 12

A major security concern is leaving computers unlocked while a user is away from the system. This is the perfect time for what is known as a lunchtime attack. This attack involves accessing a user’s computer while they are away to access resources they would otherwise not have access to.

Whenever users are away from the system and not using it, the computer should be password protected. Automatic locking of the PC should be set after a few minutes. To manually lock the screen, you can press the Windows button + L together. Screensavers can also be enabled with password protection.

Question 13

How can you configure a Screensaver & Screen Locks?

Answer 13

Right-click on the Desktop and Select Personalize from the context menu that appears.

In the Settings - Personalization pane > Scroll down and select Lock screen.

Scroll down and select Screen timeout. > Click the Allow my screen to turn off link. > Click Screen and Sleep

Look through the options

Question 14

what is the purpose of Encrypting a drive with Bitlocker?

Answer 14

Data security should be a top priority for any organization. Customers’ data is valuable to businesses, and it must be safeguarded. Data types that must be securely stored include Personally Identifiable Information (PII), Personal Health Information (PHI), and Payment Card Industry (PCI). Government standards are enforced to ensure that this type of data is secure to a certain level.

Question 15

What does PII entail?

Answer 15

• PII - This information can be broken down into 2 different categories

Sensitive PII

Full name
Social Security number
Driver’s license number
Address
Credit card information
Passport information

Non-sensitive PII

Race
Gender
ZIP code
Date of birth
Birthplace
Religion

Question 16

What does PHI entail?

Answer 16

PHI - Below are the types of data that fall into this category

Names of patients
Addresses, cities, counties, precincts, and ZIP codes
Dates that directly relate to an individual, excluding individual years, such as their birthdate
Telephone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
License numbers
Vehicle identification numbers
Device identification numbers
URLs
IP addresses
Biometric identifiers such as fingerprints
Full-face photographs
Any other unique identification numbers, codes, or characteristics that could be used to identify a person, such as passport numbers

Question 17

What does PCI entail?

Answer 17

• PCI - This data pertains to the payment card industry. All payment card account data needs to be protected. Below are some additions that need to be protected as well

Main account numbers
The 3-digit security code on the card
The “Full Track Data” stored in the chip or magnetic stripe of the card
The PIN of the cardholder
The name of the cardholder
The expiration date of the card

Below are recommended ways to help ensure that data says protected:

Firewall installation and upkeep
Putting in place secure password protection
Protecting stored PII, PCI, and PHI data Encrypting cardholder data transmission between parties
Keeping antivirus software up to date
Keeping systems and applications secure
Limiting access to PII, PCI, and PHI data to only secure, compliant businesses that require it
Giving those who have access to the data unique IDs
Physical access to PII, PCI, and PHI data is being restricted
Keeping track of who has access to network resources
Security systems are routinely tested
Developing a written information security policy that applies to all personnel

Question 18

What is the purpose of Administrator account?

Answer 18

Administrator Account

The Administrator is a user account that exists on every Windows computer. During the Windows installation process, the administrator account is the first to be created. The Administrator has full access to the files, directories, services, and other resources on the local computer.

An Administrator can create new local users, assign user rights, and assign permissions. They can also take control of local resources at any time by changing the user rights and permissions. The default Administrator account cannot be deleted or locked out; however, it can be renamed or disabled.

Question 19

How can I view the properties of an Administrator Account?

Answer 19

Right Click start Charm > Computer Management > Local User and Groups > Double CLick Users in the center pane ( all the accounts are listed are available> Right CLick on administrator > Select Properties > General Tab >

Select Member Tab > Administrator Properties - Member of tab, users can be added or removed from the Administrators group by clicking the Add or Remove buttons.

The Administrator Properties - Profile tab allows users to set up paths to their user profile, execute logon scripts and mapping of their home folder.

Question 20

Why do we need to disable the guest Account?

Answer 20

The Guest account is disabled by default during installation. The Guest account enables infrequent or one-time users who do not have an account on the computer to sign in with restricted user rights to the local server or client computer.

By default, the Guest account has a blank password. Because it allows for anonymous access, the Guest account poses a security risk. As a result, it is best practice to leave the Guest account disabled unless absolutely necessary. Public Kiosks in a lobby would be a typical use for the Guest account.

Question 21

How can I Access and Change Settings in group policy to restrict permissions?

Answer 21

Server Manager > Tools > group policy management>

In the Group Policy Management window, right-click Practicelabs.com on the left pane and select Active Directory Users and Computers.

Select Users on the left pane.

In the right details pane, right-click anywhere and select New > User. > Enter the New User details. > Click Next

Back on the Active Directory Users and Computers window, right-click The New User and select Properties.

In the Test User Properties dialog box, select the Account tab.

In the Test User Properties - Account tab, you can change the user to log on to the domain. You can also make some determinations on what to do with passwords, as well as unlock the account.

Click Logon Hours> Choose the denied hours for user to log on times the user can log on as well as how many computers they can log on to.

Back on the Test Users Properties dialog box, select the Remote control tab.

In the Remote Control tab, remote desktop settings and remote assistance settings can be adjusted.

Select the Member Of tab. > In the Member Of tab, users can be added or removed from domains.

Question 22

Why is it preferred to disable AutoRun/AutoPlay on your workstation?

Answer 22

The Windows AutoRun feature allows programs from external devices to be launched as soon as they are connected to your computer. A broader setting governs what happens when you insert a USB drive or a CD/DVD into a computer drive.

AutoPlay is a Windows feature that works in conjunction with AutoRun. AutoPlay suggests that you listen to music, watch videos, or view images. These measures of convenience come at a cost for our security, though. AutoRun can expose your computer to malware. Many users disable it because malware can use the AutoRun option to spread a virus from an external device to your PC.

You can turn this off or on via Bluetooth and Devices (Windows 11)

Question 23

How can I disbale AutoRun/AutoPlay Via Group Policy Management

Answer 23

Group Policy Management > Right click Group Policy Objects on the left pane and select New

In the New GPO dialog box, type the following for the Name field and click OK.

“Disable Autorun”

Back on the Group Policy Management window, expand Group Policy Objects on the left pane.

Select and right-click on Disable Autorun. Select Edit.

In the Group Policy Management Editor window, expand Computer Configuration > Policies > Administrative Template > Windows Component >

Select AutoPlay Policy.

In the right details pane, double click Turn off Autoplay.

Back on the Group Policy Management Editor window, double-click on Prevent Autoplay from remembering user choices.

Back on the Group Policy Management Editor window, double-click on Disallow Autoplay for non-volume devices.

Next, double-click on Set the default behavior for AutoRun

Question 24

What are the considerations do you need to consider on End User’s Best Practice?

Answer 24

Physically Securing and Protecting Hardware - There will be several different types of hardware in our networks. They all have one thing in common: they must be physically secured to prevent tampering. Some pieces of equipment, such as our servers, require heightened security, whereas our desktop security can be less stringent.

Desktop PCs & Laptops - These are end-user devices. Encryption should be used whenever possible to ensure that data on the computer is not accessed unless it is legitimately needed. Backups, as well as their proper storage, are critical. Automatic screen locks should be enabled in case a user forgets to lock the computer.

Desktop PCs and laptops are becoming increasingly small, and many can now be picked up and carried, so you can use a Kensington Lock to keep them in place. Kensington locks are similar looking to bike chains but have a mechanism that attaches to the frame of the PC and is locked in place. In order to remove it, the key will need to be used to unlock it, or it would have to be cut with a bolt cutter. Laptops may be stored in a safe or a locked office when, not in use.

If the computer is stolen, tracking software installed on it can assist in locating and retrieving it. In a high-traffic area, privacy screens can be installed on the monitors to ensure that sensitive data cannot be viewed.

To secure access to the PC, passwords or biometrics should be used whenever possible. End-users must be trained and understand the dangers of writing passwords down.

Servers - Servers are becoming increasingly important to many businesses these days. As with desktop PCs and laptops, drives should be encrypted to ensure that they cannot be accessed if removed and taken. Entire drives can be encrypted using programs such as BitLocker.

It is equally important to have backups and ensure that they are properly stored for servers. Servers should be kept in their own server room, which should be secured with an electronic lock so that entries can be tracked. Video surveillance should be considered for this area.

It is critical Servers are always operational. Consider a hot aisle or cold aisle setup if multiple servers are available.

Question 25

What are the best practices to make sure it is secured with, Routers, Switches, Hubs and Other Networking Equipment?

Answer 25

These devices are frequently overlooked in the context of security. Unwanted access to these devices can provide threat actors with immediate access to resources, as well as the ability to escalate privileges. Any default passwords on these devices must be changed. They should be kept in a locked closet, and key distribution should be closely monitored and maintained.

On switches, port security should be enabled, and unused ports should be disabled. If an unauthorized user plugs a device into the switch, port security will deny them access.

Remote management and PnP should be disabled on routers. The strongest encryption levels should be used, and the WPS button should be disabled. The Wi-Fi Protected Setup button is extremely dangerous because it allows users to access the network and its resources without first authenticating.

Question 26

What are the log on Best Practices?

Answer 26

When users have finished their work for the day, they must properly exit all open programs and log off from the computer. This is a critical practice to implement. Logging out protects sensitive files and data. A threat actor can use methods to break into a computer if a user remains logged in and has encrypted data. Because the user is “still on,” the information is not encrypted and is, therefore, vulnerable. Also, all information in RAM, as well as all session resources, will remain active.

Closing out of open applications ensures that any data changes are recorded and that the information is not lost. Logging out and shutting down will also allow updates to be installed. When you restart the computer, all system files are closed, and only the necessary ones are reopened. If a computer is not restarted on a regular basis, all of those system files are used and sometimes not properly closed out. As a result, the machine’s performance may suffer.

If the computer is a thin client running off a server, it will continue to use server resources like CPU and RAM, slowing down service for others. Finally, it may have an impact on the backup process. Open applications and data are frequently configured to be skipped by the backup system.