Workstation Security Best Practices – CompTIA A+ 220-1002 – 2.7


Keeping your workstation secure is important at both work and home. In this video, you’ll learn some best practices for securing your computer and data.

<< Previous Video: Windows Security Settings Next: Securing Mobile Devices >>


The first line of attack, when we’re referring to security on a workstation, is your password. You want to be sure your password is not a single word or that it’s not an obvious password that may be associated with you. You also want to consider making the password something very difficult to guess. You may want to include uppercase and lowercase characters in the password. And you might also want to use numbers and special characters.

Many people will use normal words. But they’ll use special characters to replace some of the letters. For example, instead of a letter O they’ll use a zero. Or instead of the letter T, they’ll use a 7. The attackers already know that people do this. So as they go through their dictionary attack, they will already perform this substitution to see if you’ve done the same thing with your password.

We generally consider an eight-character password as being relatively strong. And in some organizations you can have even longer passwords, or even phrases to use, so that you have a very long password that someone would have to guess.

And as you’ve probably seen in your place of business, you have to change your password periodically. This is to prevent someone who has gained your password from using that password over an extended period of time. If you change your password every 15 days, it limits access to the person who knows your password for that particular time frame.

You’ll also notice that the system that you’re using will remember your password history. So you can’t simply switch back and forth between two well-known passwords. You have to use something unique every time.

The time between these password changes varies widely, depending on the organization. In some places it may be 60 or 90 days before you have to change your password. In other organizations, it may be a very short frame. These requirements may be different depending on the type of information that you’re trying to protect and the type of role that you have in the organization.

If you forget your password, there needs to be some type of password reset process. The important thing is that you don’t make this process very trivial. This is a very popular attack vector for the bad guys. They know that they can circumvent your password by making the administrators change the password for them. So you want to have some way to verify that the person who needs the password changes is really the person who owns the account.

Many organizations will also require that your system have an automatic lock after a period of non-use. This prevents somebody from walking up to your desk when you’re not there and using your workstation and having access to all of your files. This would usually integrate with your login credentials. So to unlock your screen saver, you simply use the same username and password that you use to log into your system at the beginning of the day.

In Windows Vista and earlier versions, there was a feature inside of Windows called autorun. Autorun was a capability that automatically launched an application when you inserted some media, such as a DVD-ROM or a CD-ROM. This became a significant security concern. So in all editions of Windows after Windows Vista, including Windows 7, Windows 8.1, and Windows 10, you won’t find the autorun feature available in those operating systems.

There is a similar feature to autorun called autoplay. When you insert media into Windows, it will examine that drive. And if it finds audio files, for example, you can have autoplay automatically launch a particular application to be able to play those files. Although this has a much narrower focus than autorun did, some people still feel that it does have some security concerns. So you have the ability as an administrator to enable and disable this capability.

Not only should you make sure that the passwords on your workstation are very strong, you want to be sure that you have your own passwords configured on your infrastructure equipment. There are switches, routers, firewalls, and other infrastructure devices that have default usernames and passwords. So if you’re installing any of these systems into your network, make sure you change the passwords on all of those components.

There are also passwords that you can configure on the individual computers. This is done through the BIOS, or UEFI BIOS. These passwords can either be supervisor or administrator passwords that would prevent someone from changing the configurations of the BIOS. But you can also configure user passwords where, when the system boots up, the user must input the password to continue the boot process.

And another best practice for using passwords is to never store a password or make the password blank. This will allow someone to circumvent the login process, and effectively allow complete access to your system.

It’s important that the user permissions on a system are configured to give someone just the rights they need to perform the tasks for their particular job. You never want to provide administrator access for everyone on the network. This will allow malware to run itself as administrator on a system, giving it full access to the computer. Determining exactly what type of permissions someone needs may include a lot of research. So there will be audits required to determine exactly what type of access someone might need for their job.

Instead of assigning rights and permissions on an individual basis, many organizations will create groups and assign permissions to the groups. This makes it very easy to add users to the group. And those users would then have the permissions associated with that particular group.

And you may find that your ability to log in after hours may be limited. This would certainly limit an attacker’s ability to log in after hours, which would also limit the scope of what they may be able to accomplish if they gain access to the network.

If you’re running Windows, Linux, or Mac OS, you’ll find there are some user accounts that are in the operating system by default. For example, there may be a guest account created automatically when you install the operating system. From a best practice, then, you may want to disable any accounts that you know you’ll never need. You can disable the guest account, for example. And then no one would be able to use the guest account to then perform any type of attack on your system.

However, there may be some user names that services use. So you have to keep those accounts active. But one of the things you can change is to disable any interactive logins. This would allow the service to continue to use the user name. But no one would be able to log in to that user from the login prompt. And if your operating system has any default credentials, such as username admin and password admin, then you’ll want to change those credentials before installing this system on the network.

There will always be changes to the network. And you’ll always be adding users and removing access for particular users. If a user is trying to log into the network and is using the wrong password over and over again, after a certain number of bad passwords the account will be locked. That usually requires that the user call into the help desk and go through the normal reset process for that account.

Some accounts, though, also can run into this problem. Service accounts, for example, need a username and password to log in to the service account. And if that password ever changes, you may find that certain services are not able to run on the network. Some organizations will disable this lockout process for service accounts. Or they’ll have a different process for changing the password so they don’t run into any problems with the service account not being able to log in.

If someone wants to leave the organization, it’s very common to disable the user account and not delete the account. Sometimes deleting an account can also delete important information associated with that account. For example, the encryption password used for all of the user files may be tied to the login account. And if you delete the login account, you’ll never be able to recover those files.

In most Windows environments, this process for managing user accounts and passwords can all be managed from one central location. This is called Active Directory Domain Services. And it’s a centralized way of managing all of the devices and accounts on your Windows network.

The management features of Active Directory allow us to add and remove users. And of course, we can change all of the details associated with that user account. If somebody forgets their password, we can reset the password and unlock the account to give them access to their files. Or you can disable the account when someone leaves the organization. And all of that can be managed from this one central console in Active Directory.

There are many different ways to protect the data that we store on our laptops or desktops and our other mobile devices. It’s very common to use full-disk encryption when you want to encrypt every file of every part of the system. For example, in Windows you can use BitLocker to encrypt entire Windows volumes.

If you don’t need the entire disk encrypted but you need individual files or folders, you may want to use a file system level encryption, such as EFS in Windows, which is the Encrypting File System. And if you’re using removable media, such as a USB drive, you may want to also consider some type of encryption for that as well. Those USB drives are very easy to lose. And if you’re encrypting all of the data on the USB drive, you can feel safe knowing that no one would be able to access that data.

In Windows, all of these features are integrated into the operating system. And if you’re using Active Directory, your decryption keys can also be saved in that Active Directory database. That way, if the administrator of the system needs access to those encrypted files, they’ll have the decryption key available in the Active Directory database.

And one of the best things that you can do to keep your system safe is to always update and patch your operating system and your applications. There are security updates and stability improvements released in Windows every month. So you want to be sure that you at least have the latest version of Microsoft’s updates.

If you’re using Windows at home as a standalone computer, then the update process is built into the operating system. In larger environments you may want to have a staggered upgrade process, where the IT department can test the patches, make sure those security updates are working as expected, and then deploy those updates to everyone else in the organization.

Many third-party applications will also have their own built-in updater within the app. So when you launch the application, it checks to see if an update is available. And then it puts a message on your screen to ask if you’d like to update now or if you’d like to update at some other time. The hackers are very good at creating exploits as soon as these vulnerabilities are announced. So you want to be sure to update your system as soon as these security patches are available.