By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 2.6: Given a scenario, configure a workstation to meet best practices for security.
Secure workstations are the foundation of secure networks. If an outside hacker or thief can access a workstation, the whole network can be compromised. The following sections cover the use of passwords, account management, and other methods to make workstations secure. Data-at-Rest Encryption Because a company’s most valuable asset is usually its data—whether in the form of customer information, trade secrets, or production information—it only makes sense to do whatever is possible to protect it. When data sits on a workstation, it can be compromised by gaining network access or can be physically stolen. One way to protect against these attacks is to have the data fully encrypted while it sits “at rest” on the workstation hard drive, on a server, or in the cloud. Having data robustly encrypted with RSA or AES methods ensures that, if the drives are compromised, the data will still be inaccessible. Cloud providers such as Amazon Web Services (AWS), IBM, and Microsoft provide encryption options and services for data being stored on the cloud servers. Considering the potential losses stolen data can bring, stringent encryption practices make good sense. Data-at-rest encryption should be used on laptops and other systems that might be used outside the more secure corporate network environment. Laptops that contain unencrypted sensitive data have led to many data breaches. Password Best Practices Not all passwords are equally secure; some are very easy to hack. Administrators must use stringent security policy settings and require users to follow strict guidelines for passwords they use to access the network. The guidelines in the following sections reflect password best practices. Setting Strong Passwords Guidelines for setting strong passwords should include requirements for minimum length and a mixture of alphanumeric and symbol characters. Every extra character in a password makes it much harder to hack. Using a password generator can make the creation of strong passwords easier. For example, the Norton Identity Safe Password Generator (https://identitysafe.norton.com/password-generator) offers highly customizable random passwords and can generate multiple passwords at the same time. Password Expiration No matter how strong a password is, it becomes less secure over time. The longer a password is in use, the more susceptible it is to social engineering, brute-forcing, or other attacks. The risk of password discovery by unauthorized users is minimized through a password expiration policy under which passwords expire after a particular length of time and must be reset. Screensaver Required Password To help protect computers from unauthorized use, users can be required to enter their password to return to the desktop after the screensaver appears. Users should also be required to lock their workstations so that a logon is required to return to the desktop. In Windows, the screensaver required password setting (On Resume, Display Logon Screen check box) is located in the Screen Saver Settings window, which can be accessed from Settings Personalization in Windows 10. In macOS, use the Desktop & Screen Saver menu to choose a screen saver; use Security & Privacy to require a password to unlock the system. BIOS/UEFI Passwords BIOS/UEFI passwords prevent unauthorized users from changing settings. Note that they can be removed by resetting the CMOS. Some motherboards feature a jumper block or a push button to reset the CMOS. If this feature is not present, the CMOS can be reset by removing the CMOS battery for several minutes. “Hardware” covers the configuration of BIOS/UEFI security settings in more detail. Requiring Passwords PC users should be trained to use passwords to secure their user accounts. Administrators can require this through the Local Security Policy and Group Policy in Windows. Users should be informed in advance that passwords are about to expire so that users can change passwords early and avoid being locked out at an inconvenient time. Passwords can be set up to require users to do the following: - Change passwords periodically, to keep them fresh and secure. - Enforce a minimum password length, to keep passwords strong. - Require complex passwords that include a mixture of letters, numbers, and special characters. - Prevent old passwords from being reused continually by tracking past passwords and not allowing them. - Wait a certain number of minutes after a specified number of unsuccessful logins has taken place before being able to log in again. To create a password or adjust password settings in Windows 10, go to Settings Accounts Sign-in Options. To change or enforce password policy settings, go to the following location by using the Group Policy Management Console: Computer Configuration Windows Settings Security Settings Account Policies Password Policy.
Figure below shows the path to these settings. Password Policy Settings End-User Best Practices The practices in this section might seem so common sense that they do not warrant mentioning, but lazy practices develop in a workplace and become fertile ground for attacks. End users should have these practices embedded into their work practices. Use Screensaver Locks Automatic screen locking can be configured to take effect after a specified amount of idle time, to help safeguard a system if a user forgets to lock the system manually. Before screen locking can be used, accounts must have the screen lock feature enabled. In Windows 10, go to Settings
Personalization Lock Screen. In Windows, users can lock their screens manually by pressing Windows+L on the keyboard or by pressing Ctrl+Alt+Del and selecting Lock Computer. In Linux, the keys to use vary by desktop environment. In macOS, use Ctrl+Shift+Eject or Ctrl+Shift+Power (for keyboards without the Eject key). Log Off When Not in Use Leaving a computer logged in and unattended is an open invitation to trouble. End users are accountable for activity on their computer when they are away, and logging off is a simple way to protect both the user and the company.
Secure/Protect Critical Hardware Everyone knows someone who has lost a computer or other mobile device—or, worse, had it stolen. The headaches this can cause are also well known, including financial disaster and job termination. End users should never leave their devices unattended, even for a minute; that time is all it takes for disaster to strike. If end users must part with devices, they must be sure that the devices are securely locked in a trusted area before they leave. Secure Personally Identifiable Information (PII) Loss of an access code, a social security number, or any other personally identifiable information (PII) can be as disastrous as losing a device. Identity theft can ruin a person financially and be nearly impossible to completely recover from. Storing PII in encrypted folders is a wise move. Account Management When combined with workstation security settings, user account settings help prevent unauthorized access to the network. The account management settings described in the following sections can enhance security. Restricting User Permissions User permissions for standard users prevent systemwide changes, but additional restrictions can be set with Group Policy or Local Security Policy. Login Time Restrictions To prevent a user account from being used after hours or before the start of business, use login time restrictions to specify when an account can be used. Disabling Guest Account The guest account in Windows is a potential security risk, so it should be disabled. If visitors need Internet access, a guest wireless network that does not connect to the business network is a good replacement. Failed Attempts Lockout Password policy should specify that a user will be locked out after a specified number of failed attempts to log into an account. A lockout policy can also incorporate a timeout policy that specifies how long the user must wait after an unsuccessful login before attempting to log in again. Changing Default Usernames and Passwords Default administrator usernames and passwords for SOHO routers or other devices or services that have default passwords should be changed. Default usernames and passwords are available in documentation for these devices, so it is easy for an attacker to find the defaults and use them to take over routers or other devices that are still set to the default passwords. Disabling Autorun/AutoPlay Autorun is a feature that enables programs to start automatically when a CD or USB drive or flashcard is connected to a computer. AutoPlay is a similar feature that offers enhanced options in a Windows environment. Both Autorun and AutoPlay allow the user to select what kinds of programs, updates, and syncs can take place. When you disable Autorun, an optical disc or USB drive will not automatically start its autorun application (if it has one), and any embedded malware thus will not have a chance to infect the system before you scan the media. AutoPlay is a similar feature that pops up a menu of apps to use for the media on an optical drive or USB flash drive. The easiest way to turn off AutoPlay in Windows is to open the AutoPlay applet in Settings Devices AutoPlay and toggle the button off.
Figure below shows the AutoPlay Settings window in Windows 10. Figure 7-12 shows how to turn off AutoPlay from the Group Policy settings. AutoPlay Settings in Windows Disabling AutoPlay in the Group Policy Settings To disable Autorun in Windows by using Local Group Policy, complete the following steps: Step 1. Click Start and, in the search field, type gpedit.msc to open the Local Group Policy Editor. Step 2. Navigate to Computer Configuration Administrative Templates Windows Components AutoPlay Policies. Step 3. Double-click the Turn Off AutoPlay setting to display the Turn Off AutoPlay configuration window. Step 4. Click the Enabled radio button and then click OK to enable the policy named Turn Off AutoPlay. Note: Laptops that do presentations might require AutoPlay. For security reasons, macOS does not support any type of Autorun feature, but it is possible to select apps that you want to run on startup. To edit this list, select Apple menu System Preferences Users and Groups Login Items. In Linux, you can disable Autorun on systems that use the Nautilus file manager by changing the properties on the Media tab to enable Never Prompt or Start Programs on Media Insertion and disable Browse Media When Inserted.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.