Workstation Security Best Practices – CompTIA A+ 220-902 – 3.4

Are your workstations secure? In this video, you’ll learn about password guidelines, desktop security, user permissions, account lockouts, data encryption, and more.

<< Previous: Windows Security SettingsNext: Securing Mobile Devices >>


In many cases, your password is the only thing protecting your data from the rest of the world. So for that reason, you want to be sure that your password is one that’s very strong.

You don’t want to use single words as part of your password, or nothing that’s obvious like a dog’s name or a spouse’s name. You also would like to mix upper and lowercase in your password to make it more difficult to guess. And try to use special characters with your password.

Don’t simply replace an O with a 0, or a T with the 7, because the folks who are trying to decrypt your password already know those techniques. Instead, try using an exclamation mark or an @ sign as part of your password, so that these special characters make it much more difficult to guess.

A password should also be as long as possible. The bare minimum of a password should really be 8 characters. This makes it very difficult to brute force such a long password. You might even consider making the password a phrase or multiple words put together, so that you can have a long password that you could still easily remember.

If you’re the administrator of a system, you want to be sure that the passwords are changed often. There’s usually a password expiration number that you can set. You might also want to consider the option so that your system can remember the password history. That way, when people change their password, they have to choose a unique password every time.

Ideally, passwords should probably expire every 30 days, every 60 days, or every 90 days. You certainly wouldn’t want to go longer than 90 days without changing or updating your password. If it’s a critical system, it might even be more frequently than that. On these systems, it wouldn’t be unusual to change your password twice a month.

If you happen to forget your password, then you need to recover it. And you need to be sure the recovery process isn’t something the bad guys could also go through. There should be a formal process with some authentication to really require that the person resetting your password knows that it’s really you who needs to have the password reset.

On the desktop, it’s not unusual to have a screensaver. And because we have a password set for the operating system, we can easily integrate this into the screensaver so that the only way to get back into your system is to provide that password. This might even be something that’s administratively configured to turn on after a certain number of minutes. That way, if you leave your desk, you’ll at least know that the screensaver has started, and that nobody can get into your system without your password.

Windows Vista was the last operating system to allow for a function called Auto Run. This was something configured in a file that’s on a removable drive. The file name was called autorun.inf. And if that file was there, the operating system would see it, so that if you put in a USB drive or CD-ROM or a DVD-ROM, it could automatically run a program that was on that removable drive.

Of course, this is a significant security concern. So in subsequent operating systems, like Windows 7, and Window 8, 8.1, and newer operating systems, this Auto Run feature is no longer available.

Newer operating systems have a similar feature called Auto Play. Auto Play examines the files that are on this removable drive and gives you options as to what you can do with those file types.

You can, of course, make changes to Auto Play so that it does not automatically do anything by changing the configuration in your Control Panel. You should also make sure you have all of the latest security patches so that you are assured the Auto Play is up to the latest security standards.

Your computer and other devices on your network may include a number of default usernames and passwords. And if that’s the case, you want to be sure that you’re always changing from the defaults.

It’s very common to find a website that might list out a number of different devices, their default usernames, and all of their default passwords. And if you’re coming across one of these devices from the outside, this will probably be the first set of credentials you’re going to try. So make sure that you’re changing all of your passwords and preventing anyone from gaining easy access to these devices.

The BIOS of your computer also includes the option for passwords. There’s usually a supervisor or administrator password that you can assign to the BIOS. And this will prevent anybody from making changes unless they have this administrator password.

Another password you might see is the user password. This would prevent the system from booting and starting any operating system unless you have this very specific password that would then start the system.

And of course, if you’re provided the option for a password, you should always use one. You should not set a password to be blank or empty. And you should never set an auto login process that uses your username and password to bypass the authentication process.

Setting the correct permissions for people accessing your system is an important security consideration. You want to be sure that people are logging in with their username and password, and that nobody’s accessing the system with administrative access. This might be a bit of an involved process depending on how many different shares you might have on your device and how many separate users may be connecting to your system.

One way to help with this administration is to create groups. And then, you would assign the rights to an individual group. Then, you can add users to this group. And everyone who belongs to that group will then have those rights and permissions. This becomes very useful as you grow larger, where you can setup multiple groups and easily administer who has access to what resources.

Another interesting security consideration may be to limit when people can access your system. If it’s the middle of the night, you know that no one should be accessing your computer. You can restrict any type of access or login during those hours.

There are probably some user accounts on your computer that are unnecessary. For example, there might be a guest login that you might not want anybody to ever access your system with that guest logon. If there are some of these unnecessary accounts, you can disable them or remove them completely from your system.

Some accounts are on your computer so that system services can run. If that’s the case, you can configure that account so that it can still operate on your computer, but no one can interactively logon with that particular account name.

Another useful best practice is to change the default login name for these accounts. That way, if someone is trying to brute force a particular username, they’ll never be able to gain access because you’ve changed what that username happens to be.

If somebody is trying to brute force your system from outside, they’re going to try going through a certain set of usernames and passwords. But after a certain number of tries, your system is probably configured to lock out that account. This is something that is normally used to prevent these types of brute force attacks. And you want to be sure that it’s always enabled on your user accounts.

You might also want to turn this on for service accounts. That way, if someone is trying to access or use a service ID, you would lock out that particular account as well. Sometimes, your service accounts are very important, so you want to be sure to monitor them very carefully and know if someone is ever locked out of a service account.

If a user does leave the organization, or they no longer need that login, it’s usually a best practice to disable the account rather than deleting it immediately. There are usually a number of files and permissions associated with that user, especially if they’re performing any type of encryption. So make sure you have all of your data and everything that you need before ever deleting an account.

To protect data on your system, you may decide to begin encrypting the information. You can either do a full-disk encryption, where you’re encrypting an entire drive. Or maybe, you’re choosing individual files and folders and performing individual file encryption. You also have the option to encrypt removable drives. So everything on your USB key can be encrypted. And that way, if you lose that USB key, nobody can access that data.

If you’re performing any type of encryption, having backups of this data is incredibly important. You don’t want to forget the key or lose the key and then not have access to any of this information. If you’re in a relatively large organization, this encryption key may be backed up as part of your Active Directory infrastructure. You want to be sure that regardless of whether you lose the data or the key, that you have a way to recover that information.

If you want to keep your system safe, then you always need to have the latest security patches installed. These are usually updated on a weekly or monthly basis. And it’s something that will not only keep your system secure, but also maintain the stability of your operating system.

The update process is usually built into the OS. There’s usually an update utility that will install the patches when they’re available. Or if you’re part of a larger organization, there may be a process internally that automatically deploys these from a central location.

Sometimes, an application itself will performance its own updates. When you’re starting an application, it checks to see if a newer version is available. And if it is, it will automatically install an update of the current version of the application.

The key is to always stay up to date. New vulnerabilities are discovered all the time. And by staying up to date with all of these security patches, you’ll have the best opportunity to keep your computer safe.