CompTIA A+ Exam 220-902 sub-objective 3.4Given a scenario, deploy and enforce security best practices to secure a workstation

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 3.4

3.4 Given a scenario, deploy and enforce security best practices to secure a workstation.
Password best practices
Setting strong passwords
Password expiration
Changing default user names/passwords
Screensaver required password
BIOS/UEFI passwords
Requiring passwords
Account management
Restricting user permissions
Login time restrictions
Disabling guest account
Failed attempts lockout
Timeout/screen lock
Disable autorun
Data encryption
Patch/update management

Welcome to Exam Notes by CertBlaster! This edition will examine the best practices used to secure a workstation in terms of deployment and enforcement. We will start out with the recommended password policies. Then we will look at account management and permissions, and more.

Password best practices

One software vendor indicates that they see over 10 million username/password attacks daily. With that hazard level it is clear that you need the strongest account defense that is practical. This includes using the safeguards below to the extent possible.

Setting strong passwords

Strong passwords are one of your most common protection tools. Depending on your environment the Password length and complexity requirements may differ. We will look at the strictest compilation of these factors. The strongest minimum password requirement we see is 16 characters, so we will use that. In terms of complexity you will need to use a non-sequential combination of upper and lower case letters, numbers and special characters. Now it is given that a random complex password will be tough to remember but it is important to make the password hard to guess. Do not include your actual name, nickname, pets, children or birthdays. Combinations of words and symbols to form a logical term are not recommended For example P@55w0rdi5mynam3 is easily cracked by anyone with the skills. Use a combination that you can remember. AsY!!yvv@rini681 will work and be somewhat more memorable as “Asillywarning81”. Use what works for you while remembering the guidelines. You may be tested as to which of a given set of passwords is strongest. Remember length, complexity and no dictionary terms are all factors. Finally consider that in some cases a blank password is better than a weak one. As an attacker faced with limited attempts at a password every 15-20 minutes you will not waste an attempt with no password. Realize that the blank password on an administrator account can be abused anonymously by anyone with that knowledge.

Password expiration

It is recommended that user accounts be required to reset their passwords as frequently as deemed practical by using password expiration. Often this is set to expire every 30 days requiring users to reset their passwords monthly. The frequency of password changes can be between 30 and 90 days. In some cases a password history is enforced administratively. Microsoft servers store 24 previous passwords per user. This feature prevents a user from reusing passwords and compromising security.

Changing default user names/passwords

Each operating system installation creates several accounts. There will usually be a BUILTIN\Administrator and a BUILTIN\Guest account. These two accounts in particular are targets of hackers. These are easier targets because you have already provided them with half of the username/password puzzle. It is much easier for them to hammer on a specific account with the knowledge of the username, leaving the password as their only obstacle. Given that it is easy to see why you would want to rename and disable these accounts. This requires you to assign administrative privileges to another party (yourself?). Interestingly the BUILTIN\Administrator account is used only during installation and repair operations. If you find yourself needing the Recovery Console or Safe Mode you will find that the Administrator account is re-enabled to facilitate any repairs. The BUILTIN\Guest account is a similar vulnerability. This account has limited privileges but can still access the local programs. This account is disabled by default however it should still be renamed and password protected. Here we can see the Local Group Policy Editor displaying the Local Security Policies and the Rename administrator window. Notice below the Rename window that in addition to being disabled there are specific settings available to rename the accounts defined above. Also notice that the use of blank passwords is limited.

Windopws Screenshot of Change Administrator Account name
Change administrator account name

Screensaver required password

When a system is left powered on and unattended there is a prime opportunity for unauthorized access. This can be prevented by enabling a screensaver password. Let’s say a system is set to activate the screensaver after 5-10 minutes of inactivity, after that period the system cannot be accessed without authentication in the form of a password. This is the Screensaver password lock.

screenshot of Screenlock logon
Screenlock logon

BIOS/UEFI passwords

BIOS/UEFI passwords are a fundamental line of defense if you have a PC that is unsupervised or in a compromisable location. There are two forms of password protection available in the system BIOS/UEFI, User password and Supervisor password. The User password allows machine access and enables the user to view but not change settings in BIOS/UEFI. The Supervisor password is necessary to make changes in BIOS/UEFI. This is important because you do not want any unsupervised/unauthorized party to be able to change your boot options to allow the system to boot from a CD or USB device bypassing the system security. Booting to another operating system can permit unauthorized access to your system jeopardizing your internal storage and possibly the network. Here is what an attempt to enter BIOS/EUFI looks like. There is no practical way around this password that does not involve cracking the case.

sxcreenshot that shows a Prompt BIOS Password
Prompt BIOS Password

Requiring passwords

Organizations require passwords to access devices and data on their network. Local machines can manage password requirements in the Account settings for all accounts in the Group Policy Editor, as you will see.

Account management

Accounts can be managed several ways in the Windows environment. In a business environment Active Directory is used to manage both users and devices. On a local machine the remaining three options are available, first the Control Panel Users and Groups can be used to add or delete users, change passwords and elevate a standard user to administrator or vice versa.

screenshot of Control Panel User Account window
Control Panel User Account window

Secondly, online a Microsoft account allows you to change your name, password and set up the account to be used on multiple devices. Next the Computer Management Console can be used to manage local Users and Groups. Finally the most comprehensive management can be accomplished using the Group Policy Editor using the group policy object snap-in or by typing gpedit.msc at the Run line.

Restricting user permissions

The PoLP (Principle of Least Privilege) should always be observed when assigning or restricting user accounts. Do your best to ensure that the user can function at the level of their job description without exceeding it.

Login time restrictions

Restricting the login hours allowed for a user or group is a recommended way to prohibit unauthorized access. Since these restrictions are generally assigned to user group it is important to review the group membership to determine if any group members require access outside normal business hours.

Disabling guest account

The guest account is one of the built-in accounts created on all Windows machines as we cited above in this page. As such the Account name is widely known and compromises half of the security of the account. All members of the guest group have privileges equivalent to the guest account. So in practice it makes sense to disable the guest account.

Failed attempts lockout

Group policy settings allow an administratively determined number of incorrect password attempts before locking the account. The duration of the lockout is also set by the administrator and is variable.

Timeout/screen lock (see also “Screensaver required password” above)

The Screensaver can be set to increase security by accessing the screensaver properties and selecting “On resume, display logon screen” as shown below.

screenshot of Set Screenlock
Set Screenlock

Disable autorun

AutoRun and AutoPlay both allow removable devices such as USB drives and CD-ROMs to automatically run executable files. This is a preferred malware tool, placing an innocent looking executable file on a CD and having it run without intervention. That’s just too easy, an infected machine that accesses a USB drive or burns a CD will put a copy of the malware on the media. Then when that disc or drive is placed in a machine that is using AutoRun or AutoPlay the malware is copied to the new machine. Disable these features in Computer Management and Enable the turn off Autoplay and set the AutoRun policy to Disable. Here is AutoPlay on a removable device.

screenshot of Autoplay
Autoplay

Data encryption

Using the NTFS files and folders can be securely encrypted using the Encrypted File System (EFS). Importantly when you encrypt a folder all of its contents including folders will be encrypted. This is set in Windows Explorer or File Explorer in the right click > Properties>General Tab> Advanced and checking the box to Encrypt contents.

pop up for Data Encryption Enabled
Data Encryption Enabled

Patch/update management

New problems and attacks are discovered on a daily basis. Your only defense is to keep your system up to date with the latest antimalware definition updates and Operating System updates. The process may be automatic, but if it is not make checking for updates something you do daily.

That’s all for 3.4 we hope it provided some insight. Good luck on the test!
Back to the main 902 ExamNotes page

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics