Workstation Security Best Practices | CompTIA A+ 220-1002 | 2.7

In this video you will learn about password best practices, account management, disabling AutoRun, data encryption, & patch/update management.

Password Best Practices

Passwords are the key to almost everything we do online, and we all probably have multiple passwords that we use throughout the day. Unfortunately, not all passwords are equally secure and some are very easy to break. Choosing hard-to-hack passwords and managing them securely can sometimes seem inconvenient. As an administrator, it is important to enforce a strong password policy that require users to adhere to strict guidelines to gain access to the network.

Setting Strong Passwords

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability. Guidelines for creating a strong password should include requirements that outline a minimum length & a mixture of alphanumeric symbols and characters. The use of a password generator can aid in the creation of a strong password.

Password Expiration

There is currently debate surrounding as to whether or not implementing a password expiration policy is a dying concept. For the time being as it directly relates to the CompTIA A+ 220-1002 exam, a password best practice is the implementation of a password expiration. A password expiration policy which forces a user to change their password after a specified amount of time minimizes an unauthorized user from gaining access to the password by way of social engineering, brute force, or some other attack.

Screensaver Required Password

To minimize unauthorized users from gaining access to a computer that is currently in use, the authorized user of the computer should be required to put their computer’s screensaver that would require a user to enter the correct password to unlock the screensaver to gain access to the computer.

To setup the screensaver password in Windows 10:

  • Settings > Personalization

In macOS:

  • Desktop & Screen Saver menu > Security & Privacy

BIOS/UEFI Passwords

BIOS/UEFI passwords prevent unauthorized users from booting a computer, booting from removable devices, and changing BIOS/UEFI settings without permission. Note that the BIOS/UEFI password can be bypassed by resetting the CMOS on the motherboard by using a jumper block or pushing a button to reset the CMOS. If the jumper block or push button is not present, simply removing the CMOS battery for a few minutes will also reset the CMOS as well.

Requiring Passwords

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords & use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Administrators can enforce a password policy through the Local Security Policy and Group Policy in Windows.

Password policies can require users to do the following:

  • Periodically change passwords.
  • Inform users prior to a password on the verge of expiring.
  • Enforce minimum password lengths.
  • Enforce the use of alphanumeric and special characters.
  • Prevent the reuse of old passwords by keeping track of past passwords.
  • Enforcing a password lockout after a specified number of unsuccessful logins.

To create or adjust password settings in Windows 10:

  • Settings > Accounts > Sign-in Options

To change or enforce password policy settings in the Group Policy Management Console:

  • Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
Password Policy Settings

Account Management

Account management helps minimize unauthorized access to workstation settings and the network. The following management settings detail how to enhance account management security.

Restricting User Permissions

Restricting user permissions can help minimize damage or prevent system wide changes to a workstation and to the network. The Group Policy or Local Security Policy outlines additional restrictions that can be implemented to restrict user permissions.

Logon Time Restrictions

Logon time restrictions can be set by a system administrator to prevent users accounts from being used during certain times of the day, such as after business hours or before the start of the business day.

Disabling Guest Account

Disabling guest accounts in Windows helps to avoid potential security risks. If a visitor needs access to the Internet, setting up a guest wireless network that does not connect to the business network should be implemented if possible.

Failed Attempts Lockout

The account lockout threshold policy setting determines the number of failed sign-in attempts that will cause a user account to be blocked. A locked account cannot be used until you reset it or until the number of minutes specified by the account lockout duration policy setting expires.

Timeout/Screen Lock

Use automatic screen locking to help safeguard a system if a user forgets to lock the system manually. To enable automatic screen locking in Windows 10:

  • Settings > Personalization > Lock Screen

Manually lock a Windows computer by pressing Windows+L key or by pressing Ctrl+Alt+Del & selecting Lock Computer. In macOS, it’s Ctrl+Shift+Eject or Ctrl+Shift+Power (if an Eject key is not on the keyboard).

Changing Default Usernames & Passwords

It is important to change default admin account usernames & passwords for SOHO routers & other devices as soon as possible. Default usernames & passwords for these devices is readily available in the devices’ documentation and can be easily found online.

Basic Active Directory Functions

The Windows Server environment is where basic Active Directory functions take place. Keep in mind, Active Directory is beyond the scope of the CompTIA A+ 220-1002 exam. If a support technician has access to Active Directory, basic user account functions can be accessed in the Microsoft Management Console (MMC) or in the Active Directory Users & Computers folder

Creating, Deleting, Resetting/Unlocking, & Disabling an Account

To create an account in Active Directory:

  • Select Action > New > User
Creating a new user account in Active Directory

Some tasks that can be performed after a new account is created by right-clicking the user’s name:

  • Account deletion:  Removing a user from Active Directory.
  • Password reset/unlock:  Resetting a password or unlocking a locked out account.
  • Disable account:  Deactivating a user but keeping the user’s account & records in Active Directory.

Disabling AutoRun

AutoRun is a component of the Microsoft Windows operating system that dictate what actions the system takes when a CD, USB drive, or flashcard is connected to a computer. Disabling AutoRun will prevent an CDs/DVDs or USB drives from automatically starting which will prevent any possible malware from infecting the system before you can scan the media.

To disable AutoRun in Windows through the Local Group Policy:

  1. Click Start and in the search field type gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies.
  3. Click the Turn Off AutoPlay settings.
  4. Click Enabled > OK.

macOS does not support AutoRun but you can select apps to run at startup by:

  • Apple menu > System Preferences > Users and Groups > Login Items

Data Encryption

To encrypt folders or drives, use the following steps:

  • Right-click the folder/drive & select Properties > Advanced > Encrypt Contents to Secure Data > OK.

Patch/Update Management

Patch & update management is the process of managing a network of computers by regularly performing patch & update deployments to keep computers up to date. In Windows, the Microsoft Windows Server Update Services (WSUS) is used for OS application patches & updates of Microsoft products. In macOS, the Server’s Software Update service provides the same functionality for computers controlled in a macoS server environment. Linux distributions use various programs to manage updates.