A plus 1002 Sub-objective 2.7 – Given a scenario, implement security best practices to secure a workstation.
Welcome to ExamNotes by CertBlaster! This edition will examine A plus 1002 Sub-objective 2.7 which addresses the best practices for securing a workstation in terms of deployment and enforcement. Recommended password policies will be discussed first followed by account management, permissions, and other important topics.
Password best practices
A notable software vendor sees over 10 million username/password attacks daily. With that hazard level, it is clear that the strongest account defense that is practical should be implemented. This includes using the safeguards discussed below as much as possible.
Setting strong passwords
Strong passwords are one of the most common protection tools. Depending on the environment, the password length and complexity requirements may differ. Let’s look at the strictest compilation of these factors.
The strongest minimum requirement we have seen for password length is 16 characters, so please use that. In terms of complexity, make sure to use a non-sequential combination of upper and lower case letters, numbers, and special characters. It is easy to imagine that a random complex password will be tough to remember. However, it is important to make the password hard to guess. Do not include your actual name, nickname, pets, children, or birthdays. In addition, combinations of words and symbols that form a logical word are not recommended.
For example P@55w0rdi5mynam3 is easily cracked by anyone with the right skills. Use a combination that you can remember. AsY!!yvv@rini681 will work and a good mnemonic can be “Asillywarning81.” Use what works for you while remembering the guidelines.
You may be asked which of the passwords from the given list is the strongest. Remember that length, complexity, and a lack of dictionary terms are all factors that contribute to a strong password. Finally, consider that in some cases a blank password is better than a weak one as an attacker, faced with limited attempts at guessing a password every 15-20 minutes, will not waste an attempt by guessing a blank password. However, realize that the blank password on an administrator account can be abused anonymously by anyone with that knowledge.
It is recommended that users be required to reset their passwords as frequently as deemed practical through password expiration. Often, passwords are set to expire every 30 days, requiring users to reset their passwords monthly. The frequency of password changes can set anywhere between 30 and 90 days. In some cases, a password history is enforced by the administrator. For example, Microsoft servers store 24 previously used passwords per user. This feature prevents a user from reusing old passwords thereby compromising security.
Changing default user names/passwords
Each operating system installation creates several accounts such as the BUILTIN\Administrator and the BUILTIN\Guest account. These two accounts in particular are targets for hackers since half of the username/password puzzle has already been provided. It is much easier for hackers to hammer on a specific account when the username is known and the password is the only obstacle.
Given how easy it is to hack these accounts, let’s see how these accounts can be renamed or disabled. Changing these accounts require administrative privileges to be assigned to another party (yourself?). Interestingly, the BUILTIN\Administrator account is used only during installation and repair operations. If the Recovery Console or Safe Mode is needed, the Administrator account is re-enabled to facilitate any repairs.
The BUILTIN\Guest account is a similar vulnerability. This account has limited privileges but can still access the local programs. This account is disabled by default, however it should still be renamed and password protected. Shown below is the Local Group Policy Editor which displays the Local Security Policies and the Rename administrator window. Notice below in the Rename window that in addition to being disabled, there are specific settings available that can be used to rename the accounts defined above. Also notice that the use of blank passwords is limited.
Change administrator account name
Screensaver required password
When a system is left powered on and unattended, there is a prime opportunity for unauthorized access. This can be prevented by enabling a screensaver password. In this case, a system is set to activate the screensaver after 5-10 minutes of inactivity, after that period the system cannot be accessed without authentication in the form of a password. This is referred to as a Screensaver password lock.
Screen lock logon
BIOS/UEFI passwords are a fundamental line of defense if you have a PC that is unsupervised or in a compromising location. There are two forms of password protection available in the system BIOS/UEFI: User password and Supervisor password. The User password allows machine access and enables the user to view but not change any settings in the BIOS/UEFI. The Supervisor password is necessary to make changes in the BIOS/UEFI.
This is important because any unsupervised/unauthorized party should not be able to change the boot options in order to boot from a CD or USB device, bypassing the system security. Booting to another operating system can permit unauthorized access to the system, jeopardizing the internal storage and possibly the network. Shown below is an attempt to enter the BIOS/UEFI. There is no practical way around this “password” apart from cracking the case.
Prompt BIOS Password
Organizations require passwords in order to access devices and data on their network. Local machines can manage password requirements in the Account settings (in the Group Policy Editor) for all accounts, as you will see.
In the Windows environment, accounts can be managed using several ways. In a business environment, Active Directory is used to manage both users and devices. On a local machine, three options are available. First, Control Panel > Users and Groups can be used to add or delete users, change passwords, and elevate a standard user to an administrator or vice versa.
Control Panel User Account window
In addition, an online Microsoft account can be used to change the username and password as well as setting up the account to be used on multiple devices.
Second, the Computer Management Console can be used to manage local Users and Groups. Third, most comprehensive management can be performed using the Group Policy Editor, either through the group policy object snap-in or by typing gpedit.msc at the Run line.
Restricting user permissions
The PoLP (Principle of Least Privilege) should always be observed when assigning or restricting user accounts. Please ensure that the user has functionality suitable for their job description without exceeding it.
Login time restrictions
Restricting login hours for a user or group is a recommended way to prohibit unauthorized access. Since these restrictions are generally assigned to a user group, it is important to review the group membership in order to determine if any group members require access outside normal business hours.
Disabling guest account
As mentioned earlier, the guest account is one of the built-in accounts created on all Windows machines. The account name of the guest account is widely known and as a result, compromises half of the security of this account. All members of the guest group have privileges equivalent to the guest account. In practice, it makes sense to disable the guest account.
Failed attempts lockout
Group policy settings allow an administrator to set the number of incorrect password attempts before the account is locked. The duration of the lockout can also be set by the administrator and is variable.
Timeout/screen lock (see also “Screensaver required password” above)
The Screensaver can be set to increase security by accessing the Screensaver Properties and selecting “On resume, display logon screen” as shown below.
Basic Active Directory Functions
Active Directory (AD) describes a collection of services and related databases in Windows Server that can be used to control access to the Domains and the activities permitted.
AD is used to manage a Windows Domain using five services:
Active Directory Domain Services (AD DS) authenticates user accounts and provides authorization for user activity in the Domain.
Active Directory Certificate Services (AD CS) securely manages the identities of computers, users and services.
Active Directory Federation Services (AD FS) is used with outside organizations to secure trust relationships.
Active Directory Rights Management Services (AD RMS) provides data security.
Active Directory Lightweight Directory Services (AD LDS) provides application security.
Together, these services work together to organize the AD hierarchal structure from the top down. Active Directory creates a forest consisting of all resources of a particular entity, such as a company or school, organized at the highest level.
A typical Active Directory Domain Server Dashboard interface is shown below. The tools menu is activated with Active Directory Users and Computers highlighted. User management is performed here.
Active Directory Dashboard
Computer and user accounts are created and deleted using the Active Directory Users and Computers snap -in found on the Server Manager Tools menu shown above. A new user account can be created by right-clicking Users in the left pane and choosing New.
In Active Directory, the guest account is disabled by default. If the guest or any account needs to be disabled, right-click the user, access the Account tab of the user Properties, and check the Account is disabled box in the Account Options section. In the image below, you can see that the CertBlaster account is disabled.
Password reset/unlock account
Password management is a very common way for users to get locked out of their accounts. Several incorrect login attempts will lock the account, requiring the admin to unlock it. If the user is sure they know the password and got locked by accident, often the issue can be traced to Num Lock or Caps Lock. Accounts can be unlocked using the User Properties Tools tab as shown below.
If the user has forgotten their password, it will need to be reset. Close the properties, right-click the user, and choose Reset Password. A small Reset Password dialog (inset) will open where a one-time password can be assigned. The user will be required to change the password after they login.
When a user needs to be deleted, simply right-click the user in AD and choose Delete.Delete User
AutoRun and AutoPlay both allow removable devices, such as USB drives and CD-ROMs, to automatically run executable files. This is a preferred malware tool since an innocent looking executable file can be placed on a CD and can be run without intervention. That’s just too easy.
An infected machine that accesses a USB drive or burns a CD will put a copy of the malware on the media. When that disc or drive is placed in a machine that is using AutoRun or AutoPlay, the malware is copied to the new machine. Disable these features in Computer Management, Enable the turn off Autoplay option, and set the AutoRun policy to Disable. Here is AutoPlay on a removable device.
NTFS files and folders can be securely encrypted using the Encrypted File System (EFS). When a folder is encrypted, all of its contents including subfolders will be encrypted. This is set in Windows Explorer or File Explorer by Right-click > Properties > General Tab> Advanced and checking the box to Encrypt contents.
Data Encryption Enabled
New problems and attacks are discovered on a daily basis. The only defense is to keep the system up-to-date with the latest AntiMalware definition and Operating System updates. The process may be automatic, but if it is not please check updates daily. That’s all for 2.7 and we hope it provided some insight. Good luck on the test!