Security Best Practices – CompTIA A+ 220-1102 – 2.6

There are some fundamental security processes that can help keep your Windows OS safe. In this video, you’ll learn about data encryption, password management, managing accounts, and more.

One way to keep someone from viewing your data is to encrypt it. And one way to encrypt everything on your drive is through the use of full disk encryption or FDE. You’ll sometimes hear this referenced as encrypting data at rest, which refers to information on a storage drive. If you’re not encrypting the entire drive with full disk encryption, you could choose to encrypt individual files or folders.

This is sometimes built into the file system you’re using. For example, NTFS on Microsoft Windows supports the ability to pick and choose exactly what you’d like to have encrypted. And since it’s so easy to lose one of those very small USB drives, it’s also useful to encrypt all of the data that’s stored on those drives. Just as encrypting data is important, having a way to manage the decryption key is also important.

You want to be sure you don’t lose that decryption key, because if you do, you won’t have any access to that encrypted data. If you’re in an environment running Active Directory some of the keys, especially with Microsoft NTFS and BitLocker are stored within the Active Directory database. That way, if your system does have a problem and you need to restore from backup, you can also restore the decryption key.

The proper implementation of user passwords is constantly debated in the industry. We want to be sure that we’re using very strong passwords that can’t easily be guessed and will be very difficult to brute force. When we talk about the complexity of a password, we also describe it as entropy. Entropy is a measurement of how unpredictable a password is.

So we don’t want to use single words, we don’t want to use any obvious passwords, and inside the password itself we want to mix uppercase, lowercase, and use special characters. These days, we generally consider a strong password to be 8 characters or longer. In many cases, we’re encouraged to use a phrase or series of words put together to make the password as strong as possible.

In the vast majority of cases, passwords are configured to automatically expire after a certain amount of time, usually 30 days, 60 days, or 90 days. The system that you’re using will remember the passwords that you’ve used so that you can’t simply use the same password over and over again. If you have a critical system, you may find those passwords being changed more often. The time frames associated with this are usually based on the password policies that already exist in an organization.

And lastly, resetting this password should be a very clear process that has a series of verifications so that the person who’s asking for the reset is really the person who owns that account. If you’ve ever installed a switch or router, you know that there is a default username and password associated with that device. And generally during the setup process, the device will prompt you to change this default password for security reasons.

That’s because there are plenty of websites that document the standard or default usernames and passwords for all of these different devices. So if an attacker is trying to gain access to a system, one of the first things they’ll try is the default username and password for that device. We also have passwords on our individual devices in our UEFI BIOS.

There’s generally an administrator password, which would be required if you wanted to make changes to configurations of the BIOS. There’s also the option for a user password which stops the boot process until a password is entered into the BIOS, and only at that time will the operating system be loaded. Some good best practices would be to always require a password, never allow a blank password on a system, and never allow a system to automatically log in with the username and password.

We also want to be sure that our operating systems will automatically lock the screen when a user is away from the computer. There are a number of operating systems that will detect when you leave a computer and will automatically lock the system. Or there may be a timeout, so after a certain number of minutes of an activity the system will automatically lock the screen. In Windows 10, you can set up this lock under the personalization options under lock screen, and Windows 11 has exactly the same configurations under the personalization option.

Although this can be configured as a manual activation, it should also be configured for automatic activation if there’s no activity on the system. And if this is a laptop, or a tablet, or some other device that’s very easily moved from one place to another, you may consider using some type of locking hardware. This would connect your device to something that might be difficult to move such as a table or a chair.

Many of us have access to sensitive information as part of our normal job. Some of this information can be categorized as PII, or Personally Identifiable Information. This might be a person’s name, address, phone number, Social Security number, or anything else that might tie that piece of data back to that person. If you’re in a public area and you’re working with this type of data, you want to be aware of who’s around you and might be looking at your screen.

You want to be sure no one has access to any of this PII. And if you’re in an area where other people might be around such as a coffee shop or an airport, you may want to consider having a privacy filter on your system so that no one to the left or right would be able to see anything on your screen. You might also want to check your monitor at work to see where it might be facing when you’re working with this PII. You don’t want someone walking by your office and seeing sensitive information on your display.

Once someone authenticates they’re provided with rights and permissions that allows them access to resources on that service, we wouldn’t assign administrator access to everyone in the organization. Instead, we would create rights and permissions that were specific for that person and their job function. In most organizations, there are a series of groups that have permissions associated with them, and then you would assign individual users to whatever group is appropriate for their job function.

Another good best practice would be to limit access to the network during certain hours of the day. If you know that certain people would never be on the network between midnight and 4:00 AM, it might be a good idea to restrict log in during that time to prevent any access from any third parties. You might also want to administratively disable any accounts that don’t need to interactively log in to these devices.

If you look at different account names that might be on an operating system, you may find a large number of accounts that are either created by default when the operating system is installed, or they were installed as part of an application. But many of these accounts are not necessary for the operation of this system. So we might want to disable any of these unnecessary accounts, and we might also want to consider disabling any guest accounts.

Some of these accounts are created to run background processes or background services. They are never used to log in to the system. So it might be a good idea to administratively mark those accounts as never needing interactive login. This would mean the accounts could stay on this system and continue to work, but no one would ever be able to interactively log in at a username prompt using those service accounts.

And just like there are default usernames and passwords for switches, routers, and other devices, there are also default accounts for things like operating systems, so you want to be sure that your operating system does not have any of these default settings in any of the authentication options. You know that if you’ve forgotten your password for an operating system, that you have a number of chances to get it right before the entire account is locked and has to be reset.

This is to prevent somebody from performing a brute force attack where they could simply try password after password in an attempt to find one that matches that account. In Microsoft Windows, there’s a security policy for this called Interactive logon: Machine account lockout threshold. And you can define exactly how many times someone can try a password before that account is locked out.

It’s also a good best practice to have the system automatically lock itself after a certain amount of inactivity or when you walk away from the computer. There’s another security policy for this called Interactive logon: Machine inactivity limit, where you can specify how long the system will wait before automatically starting the screen saver and locking the system.

Back in the day of Windows Vista and earlier, there was a feature in the operating system called AutoRun. AutoRun would execute when you plugged in some type of removable media. So you would plug-in a USB drive, or you’d insert a CD-ROM or DVD Rom, and your system would automatically run a file that’s located on that storage device. If it seems like that feature would be a significant security concern, you would be right and Microsoft agreed with you and remove that capability in Windows 7 and later.

There’s a similar feature in Windows called AutoPlay you can find that under Settings, Bluetooth and devices, and AutoPlay. If AutoPlay is turned on, you’ll have the option to choose what you would like to occur when somebody plugs in a removable drive. You can configure storage settings, you can take no action, you can open a folder to view files, such as File Explorer, or you can have the system ask you each time you connect a removable drive.

In many organizations, you may want to disable both of these features so that no one can accidentally run something they weren’t expecting when they insert a removable drive.