Workstation Security Best Practices – CompTIA A+ 220-802: 2.3

| May 23, 2013

If you’re looking to keep your workstations secure, then you have to be constantly vigilant. In this video, you’ll learn about best practices dealing with password complexity, user permissions, account availability, and desktop security.

<< Previous Video: Common Security ThreatsNext: Disposing of Sensitive Data >>


We use user names and passwords to authenticate to resources on our computer and on the network all the time. So a very good best practice is to make sure that the password that we’re using is as strong as possible.

It’s not unusual, when you’re building a password, to get recommendations, for instance, that say, don’t use a single word. Those are so easy to brute force. We can simply go through a dictionary and find what word you happen to use.

And don’t use anything obvious. How many times do you see someone using the name of their dog, the name of their cat, the name of their wife or their husband in order to find a password that they can remember?

You want to be able to mix upper case and lower case so that it becomes a little more difficult for bad guys to try to brute force that. They might try all lower case. They might try all upper case. But if you try to mix those up, even in the middle of a word, it’s a little bit harder to brute force.

And you also want to use special characters. Use the “@” sign. Use the “!” mark. Use letters and numbers inside of the password. Mix them up. Don’t try to be cute. Don’t try to take something like the letter “O” and replace it with a “0” or the letter “T” and replace it with a “7.”

The bad guys already know that people try to do that. So whenever they’re doing a brute force, they’ll automatically duplicate that, as well. They’ll replace the “Os” with “0s” to try to see if they can figure out what words you used. Try to use a password that is at least eight characters long.

Try to make it even a phrase if the website allows that. Multiple words together can be very powerful. Or take a phrase that you know, and simply use the first letter from every word in that phrase.

It turns out it’s not even a word that you can brute force. It’s just a lot of letters that you’ve put together. But that is at least a better password than using something that is a well known word that can be easily brute force attacked. And lastly, as a best practice, don’t disable the input of a password.

There are settings in Windows, for instance, that allow you to log in automatically without putting in any user name and any password. And it’s just a bad idea. Because certainly, there is going to be information on your computer that you don’t want anyone else to have access to.

Another good best practice is to limit the access of that information. You don’t want everybody to be an administrator on the network. You only want to assign the rights and permissions necessary for somebody to do the job that they need to do.

Unfortunately, this may involve a bit of an audit, especially if it’s an organization that has, in the past, tended to give a lot of different people administrator access. So you may have to modify or reel in some of those administrators that you created in the past and give them rights and permissions that better fit what they’re trying to do.

You can also think about setting rights and permissions based on groups. Group people together. Have the HR department, the shipping and receiving department, the accounting department. Maybe, you base your group on an application, and you assign the proper rights and permissions to the group so that when you add someone to the group they can now access the application.

And when you remove them from the group, they no longer have that access to the application. This is much easier to do then doing this on a per user basis. It’s also much easier to do it this way when you need to audit things later to make sure that people have the right permissions for what they need to do.

It doesn’t matter what operating system you’re using. There are user accounts that were created during the building of that operating system that you may or may not use. You may find a guest account, a root account, a mail account, so many other accounts in there, as well. Not all of these accounts are going to be necessary. So make sure that you disable any of these accounts that no one will ever need to log into.

You also might want to remove the ability for a user name to log into the system. A lot of these user names were created for an application to use on that computer. You never have to interactively log in from a console so you can turn off the interactive log on and still allow the application to work on your system.

You also want to think about maybe changing the default user names. There have been applications that have used default user names of admin. And now the bad guys know exactly what user name they should be using when they want to do a brute force attack.

By simply changing that admin user name, they can still try to do their brute force. But now they’re trying to do a brute force with the old name, which means no matter what password they try, they’ll never be able to gain access using that particular set of credentials.

On the desktop, there are a few things that you can do, from a security perspective, like adding a password to a screen saver. If a screen saver kicks in, it should be set up to automatically password protect it when you come out of the screen saver. And in Windows, that could be a single check box. And of course, someone who is administering an entire domain of Windows users’ machines can do this administratively from one place.

In Windows XP and Windows Vista, there is a capability called AutoRun that was used. Whenever you put a piece of media in your computer, a program would run automatically. Well, if that sounds bad, that’s because it was bad.

And a lot of the bad guys found that they could put some code onto a USB key or onto a CD, have you put that into your computer, and you would be running programs without any permission from you.

Microsoft gave us a way to disable that through the registry in those operating systems. So you can always reference Microsoft’s documentation for disabling that capability entirely. And in Windows 7, it’s not even a capability at all. It was removed from the operating system. There’s no way to do an autorun inside of Windows 7.

Instead of using AutoRun, Microsoft has changed this to something called AutoPlay, where the applications won’t run automatically. Instead, it pops up a message that says, what would you like to do? You’re putting in this piece of media, like a removable disk.

Do we play information using a certain application? Do we create a disk? Do we play music? Do we open a folder and view files? So you get to control what applications are going to run. And you can modify the applications that run in your Control Panel. Or you can completely remove the capability to do any of this AutoPlay when you insert some media.

Tags: , , , , , , , , , ,

Category: CompTIA A+ 220-802

Comments are closed.

X