Workstation Security Best Practices(Comptia Objective 2.7)

Question 1

What are some principles of Password Complexity and Length?

Answer 1

• Make your password strong
  No single words, No obvious passwords such as the name of your dog
• Mix upper and lower case
• Use special characters. However don’t replace the letter o with a 0 or don’t replace the letter t with a 7 as attackers already know people do that.
• A strong password is at least 8 characters long. Consider a phrase or a set or words.
• Set password expiration, require it be changed once expired. The system will remember password history and will require new unique passwords.

Question 2

What are some important principles of Password expiration and recovery?

Answer 2

• All passwords should expire. And be changed every 30 days, 60 days or 90 days.
• Critical Systems might change more frequently such as every 15 days or every week.
• The Recovery process should not be trivial!. Some organizations have a very formal process you have to follow to get your password reset.

Question 3

What are some important principles of Desktop Security?

Answer 3

• Require a screensaver password that integrates with login credentials. This can be administratively enforced and system will automatically lock after a timeout.
  This prevents somebody walking up to your workstation when you’re not there and accessing your system.
• Disable autorun
  autorun. inf in VIsta. You won’t find Autorun enable in Windows 7, Windows 8/8.1 or Windows 10 as it was a serious security concern and it has been disabled inside the registry itself.
• Consider changing the AutoPlay setting in versions of Windows 7 and on. Get the latest security patches. As an administrator you will have the ability to turn off Autoplay functionality so you can turn it off if needed or change what happens when media is inserted into a system.

Question 4

What are some Password best practices?

Answer 4

• Changing default usernames/passwords.
  All devices have defaults and there are many websites that document these.
• You can enable a BIOS / UEFI password such as a supervisor/administrator password that prevents changes to the BIOS. Also can setup a boot password inside of the BIOS that prevents a system from fully booting up without the BIOS password.
• You should always require a password.
  No Blank passwords, No automated logins. Never store your passwords inside a document etc.

Question 5

What are some important principles of Restricting User Permissions?

Answer 5

• User permissions
  Everyone shouldn’t be assigned Administrator privileges. This can allow malware to have full access to a system or network
• Assign proper rights and permissions on a user by user basis. Just the right amount of access that they need to perform their job properly. This may be an involved audit.
• Assign rights based on groups. Much easier than managing users on a per-user rights basis. This becomes more useful as you grow
• Login time restrictions
  Only login during working hours. This prevents access to systems when normally nobody would be working at those times.

Question 6

What are some important principles of Disabling unnecessary accounts?

Answer 6

• All operating systems include other accounts such as guest, root, mail etc.
• Not all of these accounts are necessary so you may want to disable/remove the unnecessary ones such as disabling the guest account. Some accounts will be required for services inside of the OS however so you may want to :
• Disable interactive logins this still gives access to services who may use these accounts but won’t allow login access.
• Important to change the default usernames and passwords such as : User: admin, Password : admin. This helps prevent brute force attacks.

Question 7

What are some best practices of Account lockout and disablement?

Answer 7

• Too many bad passwords will cause a lockout. This should be normal for most users however this can cause big issues for service accounts( background processes) which are required to run in these instances sometimes admins will disable lockouts for these service accounts or change the way you need to reset the password.
• Disable user accounts.
  Part of the normal change process. You don’t want to delete accounts( At least not intentionally). This is important is someone happens to leave the organization.

Question 8

What is commonly used to centrally manage all usernames and passwords?

Answer 8

• Windows Networks can be centrally managed by Active Directory Domain Services( AD DS)
• Allows you to create and delete accounts
  Add users to the domain and remove user accounts as well.
• Also provides functionality to reset passwords and unlock accounts( I forgot it….again)
• Also allows you to disable user accounts in the event of off boarding or security processes.

Question 9

What are some important things to remember when it comes to Data encryption?

Answer 9

• Key backups are critical. You always need to have a copy . This may be integrated into Active Directory and be accessible there but not always.
• You will want to keep the key handy .
• If you want to encrypt sensitive data and wish to take that data on the road then you will want a form of mobile encryption for flash drives such as Bitlocker to go.

Question 10

When it comes to Patch and update management what are some important things to be aware of?

Answer 10

• OS and applications need to be regularly updated for security and stability improvements. Security vulnerabilities are exploited quickly so always stay up to date.
• Updates and patches are usually built into the OS and update automatically when available however in a corporate environment this may be centrally managed and controlled where IT may perform tests on these patches to make sure they are safe and stable.
• Most applications have their own updater that checks for updates when starting.