7.05 Configure a workstation to meet best practices for security

Introduction 

Imagine securing your computer like you would lock your house—each layer of security, like doors, locks, and alarms, plays a part in keeping unwanted visitors out. In this lesson, you’ll learn how to configure a workstation for security, much like building strong defenses for your home.

You'll explore best practices for password management, user access control, and encryption, which are vital in protecting your data and network from cyber threats. By mastering these techniques, you'll not only solve security problems for yourself but also help others stay safe in today’s digital world. 

Best Practices for Strong Passwords 

Ensuring workstation security starts with making sure only authorized users can access the network. Even with the rise of multifactor authentication, strong password management is still essential for organizations that rely on password-based systems. 

Common Password Weaknesses 

Password systems are often vulnerable due to outdated technologies and poor user habits. Weak passwords are the primary risk, allowing attackers to use dictionary attacks or data from password breaches to access accounts. Once a password is compromised, attackers can impersonate legitimate users and gain unauthorized access. 

Guidelines for Strong Passwords 

Here are simple yet effective rules for creating strong passwords: 

  • Use a long password: At least 12 characters for regular accounts and longer for administrative accounts

  • Avoid personal information: Do not include names, dates, or easily guessable details like job titles, pet names, or song lyrics.

Additional Password Policy Options 

Some organizations enforce extra rules, such as: 

  • Character complexity: Requiring a mix of uppercase, lowercase, numbers, and symbols

  • Password expiration: Forcing users to change their passwords after a set time. 

However, these rules can backfire by encouraging poor habits, like writing passwords down. As a result, some security standards no longer recommend complexity and expiration requirements. 

BIOS and UEFI Passwords 

BIOS/UEFI passwords provide security before the operating system boots. Though rarely used, they add an extra layer of protection. 

Types of BIOS/UEFI Passwords: 

  • System user password: Required to boot the operating system but does not secure the firmware itself. 

  • System/supervisor password: Protects access to the BIOS/UEFI setup and requires configuration by an administrator. 

Some systems support pre-boot authentication, where the system verifies user credentials before the operating system starts. 

By following these best practices, organizations can significantly reduce the risk of unauthorized access and improve overall system security. 

End User Best Practices for Workstation Security 

Good password practices are essential, but they should be accompanied by secure workstation usage. Here are some key principles that all users should follow to ensure workstation security. 

Lock Your Computer When Unattended 

Log off or lock the screen when stepping away, even for short periods. 

Avoid leaving the workstation open for lunchtime attacks, where an attacker gains access to an unattended and unlocked computer. 

In Windows, press START+L to quickly lock the desktop. 

While automatic screensaver locks can help, users should make manual locking a habit. 

Secure Portable Devices 

Prevent physical theft by securing portable devices like laptops with cable locks when working at a desk. 

When in public places, always keep laptop cases or bags within sight

The Kensington Security Slot is the rightmost opening on the side of this laptop computer.

Kensington Laptop Lock

Protect Personal and Sensitive Information 

Follow a clean desk policy to prevent leaving personal data, passwords, or sensitive documents in plain sight. 

Do not store personal information (such as personally identifiable information (PII)) in unsecured text files or unprotected documents. 

Ensure that sensitive information is only stored and processed in secure systems monitored by a data owner

These simple actions help reinforce overall security and prevent unauthorized access to personal data and workstations.

Account Management Best Practices 

Account management is crucial for maintaining security within a system or network. These practices ensure that each user only has the necessary permissions and privileges to do their job, reducing security risks. 

Enforce Least Privilege 
 

Imagine a library where only certain staff members have access to specific areas and tools, depending on their roles. 

Librarians have access to the book shelves and check-out system, allowing them to organize books and assist patrons. 

Security staff can access the building's surveillance system and control entry to restricted areas. 

Janitors are responsible for cleaning and can access storage rooms for supplies, but not the security system or check-out desk. 

Now, instead of giving everyone a master key to the entire building, each staff member is given only the keys they need for their specific job. This prevents unnecessary access and keeps things secure. 

Similarly, in a computer system, least privilege ensures that users only have access to the files and tools they need to perform their jobs, keeping the system more secure by reducing the chance of accidental or malicious changes. 

File Permissions: Control whether users can read or modify files and folders, either on their local PC or over the network. 

Responsibility: Data owners or file server administrators. 

Rights/Privileges: Control what system configuration changes a user can make. 

Responsibility: Network administrators. 

Least Privilege Principle: Limit the number of administrator/superuser accounts to reduce risk. Use tools like User Account Control (UAC) in Windows or sudo in Linux to manage elevated privileges. 

Change Default Administrator Account and Password 

Default Admin Accounts: Root (Linux) or Administrator (Windows) accounts have the highest privileges. 

If not disabled, these accounts must not be left with their default password

Secure Password: The new password should only be known by one person and treated with high-level security. Sharing this password is a security risk. 

Accountability: Use of the default admin account should be logged and monitored. Any usage should trigger an alert, and the user must not have the ability to turn off the logging system.

Disable Guest Account 

Guest Accounts: Allow unauthenticated access to a computer and sometimes to a network. These accounts are risky because they don’t require login credentials. 

In modern Windows systems, the Guest account is disabled by default and cannot be used for sign-in, except for passwordless file sharing in a Windows workgroup. Always monitor guest access in other operating systems and features, like guest Wi-Fi, and disable them if they don't align with security policies. 

Account Policies Overview 

Account policies are rules that enforce secure user behavior by setting restrictions and controls within the operating system. These policies help secure access and ensure the proper use of accounts. On most standalone workstations, password and account policies can be configured using tools like Local Security Policy (secpol.msc) or Group Policy Editor (gpedit.msc). In Windows domain networks, administrators use Group Policy Objects (GPO) to apply these settings across users and computers. 

These tools are unavailable in the Home edition of Windows.

Common Account Policies 

  • Restrict Login Times 

    • Controls when users can log in, typically preventing access during off-hours like late at night or on weekends. 

    • Helps to secure systems during times when suspicious activity is more likely. 

    • The system may log users out automatically if they continue to be logged in beyond allowed times. 

  • Failed Attempts Lockout 

    • Specifies the maximum number of incorrect sign-in attempts allowed within a time period. 

    • After reaching this limit, the account will be locked, reducing the risk of unauthorized access via brute-force attacks. 

  • Concurrent Logins Limit 

    • Restricts how many sessions a user can open at once. 

    • Prevents misuse of accounts by ensuring that most users sign in to only one device at a time. 

  • Use Timeout/Screen Lock 

    • Automatically locks the computer if no activity is detected after a set period. 

    • Adds extra protection by securing systems left unattended, though users should manually lock their screens when stepping away. 

Unlocking and Resetting Accounts 

When a user violates security policies (e.g., repeated incorrect password attempts), the account may be locked. Administrators can unlock or reset these accounts through the Properties dialog box for the user in question. 

  • Unlocking Accounts: Administrators can check the "Unlock Account" option under the Account tab. 

  • Resetting Passwords: If a user forgets their password, it can be reset by right-clicking the account and selecting Reset Password

These measures help ensure that account access remains secure and that only authorized users can regain access when necessary.

Execution Control Overview 

Execution control refers to security technologies that prevent unapproved or malicious software from running on a computer, regardless of a user's account privileges. It reduces the risk of users accidentally or intentionally running harmful code by implementing strict rules on what software can execute. 

Trusted vs. Untrusted Software Sources 

To prevent malware like Trojans, it’s essential to control the programs users can run, especially those capable of modifying the operating system (OS). Windows and Linux use various measures to ensure only trusted software can be installed:

  • Windows: Uses Administrator and Standard User accounts along with User Account Control (UAC) to restrict program installation. Code Signing: Windows developers use digital certificates to prove the authenticity and integrity of software.

  • Linux: Prompts users when attempting to install untrusted softwareCryptographic Keys: Software packages are signed with a key, and users need a public key to verify the repository before installation. 

  • Mobile OS Vendors: Apple’s App Store and the Windows Store follow a walled garden model where apps are distributed only from trusted stores, ensuring malicious apps aren’t published.

Application Control 

To further enforce execution control, many organizations use third-party network management tools. These tools allow administrators to create: 

  • Blocklists: Blocking unapproved software while allowing everything else. 

  • Allowlists: Approving specific software and denying everything else. 

AutoRun and AutoPlay 

Older versions of Windows posed a security risk by automatically running commands from an autorun.inf file whenever a disc or USB drive was inserted. This feature allowed malware to install without user consent. 

  • AutoRun: Previously allowed files from external drives to run automatically. 

  • AutoPlay: Modern versions of Windows prompt users with an AutoPlay dialog asking what action to take when a new drive is inserted, giving them more control. 

These features now work in conjunction with UAC to ensure that users must explicitly allow executable code to run, reducing the risk of unauthorized software installation. 

Windows Defender Antivirus Overview 

Even with User Account Control (UAC) and execution control measures, malware can still find ways to bypass security and install itself on a PC. This can happen through social engineering or by exploiting vulnerabilities. Sometimes malware doesn’t need to install at all to perform harmful actions, like exfiltrating data or snooping around the network. 

Purpose of Antivirus (A-V) Software 

Antivirus (A-V) software detects malware and prevents it from executing. It uses two primary methods for identifying threats: 

  • Definitions/Signatures: A database of known virus patterns used to detect malware. 

  • Heuristic Detection: Uses behavior-based techniques to identify virus-like activities that aren’t tied to specific virus definitions. 

Modern antivirus software, like Windows Defender Antivirus, detects various types of threats, including spyware, Trojans, rootkits, ransomware, and cryptominers

Importance of Anti-Malware Solutions 

Given the wide range of possible threats from malware and vulnerability exploits, using a solid anti-malware software solution is essential for securing workstations. Windows Defender Antivirus is built into all versions of Windows and can be managed through the Windows Security Center

Keeping Windows Defender Antivirus Updated 

Regular updates are crucial for effective antivirus protection. Two types of updates are typically needed: 

  • Definition/Pattern Updates: These provide new information about recently discovered viruses or malware. They can be updated daily or even hourly. 

  • Scan Engine/Component Updates: These updates fix issues or improve the scanning capabilities of the software. 

For Windows Defender Antivirus, these updates are delivered through Windows Update. Third-party antivirus software may use similar update methods.

Activating and Deactivating Windows Defender Antivirus 

Because of the nature of malware, antivirus software shouldn’t be easy to disable. In Windows Defender Antivirus, the Real-time Protection feature can be toggled off temporarily, but it reactivates automatically after a short period. 

When installing third-party antivirus software, Windows Defender Antivirus is automatically replaced. It can also be permanently disabled via group policy

Excluding Folders from Scans 

In certain cases, it may be necessary to exclude specific folders from being scanned. For example: 

  • Virtual machine disk images might cause performance issues during scanning. 

  • False positives can occur with legitimate software or development code. 

Regular Antivirus Status Checks 

It’s important to regularly check that your antivirus is: 

  • Activated 

  • Up to date 

This ensures that your system is protected against the latest threats. 

Windows Defender Firewall Overview 

Windows Defender Firewall is a key part of system security, working alongside antivirus software to protect the system from network-based threats. While antivirus software monitors the file system for malware, Windows Defender Firewall filters both inbound and outbound network traffic to prevent unauthorized access. 

Basic Firewall Settings 

In the Windows Settings app, users can: 

  • Activate or deactivate the firewall for specific network profiles (e.g., private or public networks). 

  • Add exceptions to allow certain applications or processes to accept inbound connections. 

Advanced Firewall Configuration 

The Windows Defender Firewall with Advanced Security console provides more granular control over firewall settings. Key features include: 

  • Inbound and Outbound Rules: The firewall allows the creation of custom rules to control which traffic is allowed or blocked. 

  • Default Policy Settings: The default action for both inbound and outbound traffic can be set to Block or Allow

Each rule can be configured based on specific triggers

  • Port Security: Rules can block or allow traffic based on the TCP or UDP port number. For example, blocking TCP/80 prevents access to a web server’s default port. 

  • Application Security: Rules can control traffic for specific applications. 

  • Address Triggers: Rules can be based on the IP address or Fully Qualified Domain Name (FQDN) of the server or client host. 

Profile Configuration 

The firewall operates with different network profiles (Domain, Private, and Public). For each profile: 

  • The firewall can be turned on or off

  • Default policies for inbound and outbound traffic can be configured to either Block or Allow

You can also enable Block All Connections, which stops all inbound traffic regardless of the configured rules. 

Rule Management 

In the Advanced Firewall console (wf.msc), users can: 

  • Enable or disable firewall rules. 

  • Create and configure inbound or outbound rules. 

This gives you control over which traffic is allowed in and out of the network. 

Summary of Firewall Options 

  • Inbound and Outbound Rules: Control traffic direction. 

  • Port, Application, and Address Triggers: Customize filtering based on port numbers, processes, or IP addresses. 

  • Block vs. Allow: Set default actions for traffic or configure specific rules. 

  • Block All Connections: An extra layer of security to stop all inbound traffic. 

Protecting Data-at-Rest with Encryption 

Data stored on a computer, such as files on a hard disk (HDD), solid-state drive (SSD), or thumb drive, is referred to as data-at-rest. While the operating system (OS) can secure this data with access control lists (ACLs), these permissions can be bypassed if the disk is accessed by another OS. To add an extra layer of security, encryption can be applied to protect data-at-rest. 

Understanding Encryption for Data-at-Rest 

Encryption ensures that sensitive data remains protected, even if it falls into the wrong hands. Data-at-rest refers to information stored on persistent storage devices, as opposed to data-in-transit (moving over a network) or data-in-use (temporarily stored in system memory). 

One method of securing data-at-rest is through file system encryption, which locks individual files and folders so they can only be accessed by authorized users.

Encrypting File System (EFS) 

The Encrypting File System (EFS) is a feature in NTFS (New Technology File System) that allows users to encrypt files and folders. EFS is not available in the Home edition of Windows but is supported in professional and enterprise versions. 

How to Encrypt Files and Folders with EFS: 

  1. Right-click on the file or folder. 

  2. Select Properties

  3. Click the Advanced button. 

  4. Check the box for Encrypt contents

  5. Confirm through the dialogs. 

Encrypted files and folders will appear with green color coding in Windows Explorer, and only the user who encrypted the file can access it. Other users, even administrators, will receive an "Access Denied" message. 

Risks and Limitations of EFS 

While EFS adds strong protection to files and folders, it relies on the user account password for security. If the user’s password is compromised, so is the encryption key that secures the files. Additionally, if the key is lost or damaged due to profile corruption, password reset, or system reinstallation, data loss could occur. 

Backup and Recovery 

To mitigate the risk of data loss, it is important to: 

  • Back up the encryption key

  • In a Windows domain, configure recovery agents who can decrypt data in case the original key is lost. 

By implementing EFS, users can significantly enhance the security of sensitive data-at-rest, ensuring that unauthorized individuals cannot access the files. However, safeguarding the encryption key and user password is essential to maintaining this security. 

Full Disk Encryption with Windows BitLocker 

BitLocker is a full disk encryption (FDE) feature available in all Windows editions except the Home edition. Unlike individual file encryption methods such as EFS, BitLocker secures an entire disk, including all system files, swap files, and temporary files. This ensures that all data on the disk is encrypted without requiring user intervention for individual files or folders. 

Key Features of BitLocker 

  • Full Disk Encryption (FDE): Encrypts the entire drive, protecting all files, temporary data, and system files. 

  • Automatic Protection: Encrypts data without depending on the user to remember to do it, offering a more comprehensive layer of security. 

  • Minimal Performance Impact: Although FDE can slightly affect performance, modern systems can handle this overhead efficiently. 

  • Encrypted Removable Drives with BitLocker To Go: In addition to internal disks, BitLocker can encrypt removable drives (USB drives, external hard drives) through BitLocker To Go.

Using BitLocker and BitLocker To Go 

You can configure BitLocker through the Windows Control Panel

  1. Open the BitLocker Drive Encryption window. 

  2. Choose which drive(s) you want to encrypt, including internal and removable drives. 

  3. For removable drives, use BitLocker To Go, which protects external storage and requires a password or encryption key to unlock. 

Once a drive is encrypted, a password or recovery key is required to access its contents. 

Trusted Platform Module (TPM) and Startup Keys 

BitLocker can leverage a Trusted Platform Module (TPM) chip, which is integrated into the computer's motherboard. The TPM securely stores the encryption key and ties the encrypted disk to the specific machine, adding another layer of protection. 

If the computer does not have a TPM chip, you can still use BitLocker, but you'll need a USB stick or smart card to store the startup key. This key must be inserted during boot to unlock the encrypted drive. 

TPM Configuration: The TPM must be configured with an owner password, which is usually set through the system firmware. You can manage TPM settings using the TPM Management snap-in available in Windows. 

BitLocker Recovery Key 

During BitLocker setup, you'll be prompted to create a recovery key. This is a critical step, as the recovery key allows you to regain access to your encrypted data if the startup key or password is lost. 

Store Securely: The recovery key should be stored on a removable drive (or written down) and kept in a safe place, separate from the computer itself. 

Benefits of BitLocker 

  • Enhanced Security: Protects the entire disk and ensures all data is encrypted, not just select files. 

  • Ease of Use: Users don’t need to remember to encrypt individual files or folders, making it user-friendly. 

  • Protection for Removable Drives: BitLocker To Go extends encryption to portable drives, ensuring secure transport of data. 

BitLocker is a powerful solution for securing data-at-rest, offering both ease of use and strong encryption across internal and removable drives.

Summary 

When configuring a workstation for best security practices, focusing on strong passwords, user behavior, and system management policies is essential. Implementing clear password guidelines, like avoiding personal information and ensuring adequate length, helps prevent unauthorized access. By combining these with robust account management techniques like restricting login times, setting failed attempt limits, and enabling execution control, you reduce vulnerabilities. Adding layers of protection through encryption tools like EFS and BitLocker further strengthens workstation security, making it comprehensive and user-friendly while ensuring data safety.