A plus 1002 Sub-objective 2.7 – Given a scenario, implement security best practices to secure a workstation. – Dumps4shared

A plus 1002 Sub-objective 2.7 – Given a scenario, implement security best practices to secure a workstation.

Go back to A+ 220-1002 Domain 2.0 table of content

Welcome to ExamNotes by Dumps4shared! This edition will examine A plus 1002 Sub-objective 2.7 which addresses the best practices for securing a workstation in terms of deployment and enforcement. Recommended password policies will be discussed first followed by account management, permissions, and other important topics.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Password best practices

A notable software vendor sees over 10 million username/password
attacks daily. With that hazard level, it is clear that the strongest account
defense that is practical should be implemented. This includes using the
safeguards discussed below as much as possible.

Setting strong
passwords

Strong passwords are one of the most common protection tools.
Depending on the environment, the password length and complexity requirements
may differ. Let’s look at the strictest compilation of these factors.

The strongest minimum requirement we have seen for password
length is 16 characters, so please use that. In terms of complexity, make sure
to use a non-sequential combination of upper and lower case letters, numbers,
and special characters. It is easy to imagine that a random complex password
will be tough to remember. However, it is important to make the password hard
to guess. Do not include your actual name, nickname, pets, children, or
birthdays. In addition, combinations of words and symbols that form a logical word
are not recommended.

For example P@55w0rdi5mynam3 is easily cracked by anyone with
the right skills. Use a combination that you can remember. AsY!!yvv@rini681
will work and a good mnemonic can be “Asillywarning81.” Use what works for you
while remembering the guidelines.

You may be asked which of the passwords from the given list is the
strongest. Remember that length, complexity, and a lack of dictionary terms are
all factors that contribute to a strong password. Finally, consider that in
some cases a blank password is better than a weak one as an attacker, faced
with limited attempts at guessing a password every 15-20 minutes, will not
waste an attempt by guessing a blank password. However, realize that the blank
password on an administrator account can be abused anonymously by anyone with
that knowledge.

Password
expiration

It is recommended that users be required to reset their
passwords as frequently as deemed practical through password expiration. Often,
passwords are set to expire every 30 days, requiring users to reset their
passwords monthly. The frequency of password changes can set anywhere between
30 and 90 days. In some cases, a password history is enforced by the administrator.
For example, Microsoft servers store 24 previously used passwords per user.
This feature prevents a user from reusing old passwords thereby compromising
security.

Changing
default user names/passwords

Each operating system installation creates several accounts such
as the BUILTIN\\Administrator and the BUILTIN\\Guest account. These two accounts
in particular are targets for hackers since half of the username/password
puzzle has already been provided. It is much easier for hackers to hammer on a
specific account when the username is known and the password is the only
obstacle.

Given how easy it is to hack these accounts, let’s see how these
accounts can be renamed or disabled. Changing these accounts require
administrative privileges to be assigned to another party (yourself?).
Interestingly, the BUILTIN\\Administrator account is used only during
installation and repair operations. If the Recovery Console or Safe Mode is
needed, the Administrator account is re-enabled to facilitate any repairs.

The BUILTIN\\Guest account is a similar vulnerability. This
account has limited privileges but can still access the local programs. This
account is disabled by default, however it should still be renamed and password
protected. Shown below is the Local Group Policy Editor which displays the
Local Security Policies and the Rename administrator window. Notice below in the
Rename window that in addition to being disabled, there are specific settings
available that can be used to rename the accounts defined above. Also notice
that the use of blank passwords is limited.

Change administrator account name

Screensaver
required password

When a system is left powered on and unattended, there is a
prime opportunity for unauthorized access. This can be prevented by enabling a
screensaver password. In this case, a system is set to activate the screensaver
after 5-10 minutes of inactivity, after that period the system cannot be
accessed without authentication in the form of a password. This is referred to
as a Screensaver password lock.

Screen lock logon

BIOS/UEFI
passwords

BIOS/UEFI passwords are a fundamental line of defense if you
have a PC that is unsupervised or in a compromising location. There are two
forms of password protection available in the system BIOS/UEFI: User password
and Supervisor password. The User password allows machine access and enables
the user to view but not change any settings in the BIOS/UEFI. The Supervisor
password is necessary to make changes in the BIOS/UEFI.

This is important because any unsupervised/unauthorized party should
not be able to change the boot options in order to boot from a CD or USB device,
bypassing the system security. Booting to another operating system can permit
unauthorized access to the system, jeopardizing the internal storage and
possibly the network. Shown below is an attempt to enter the BIOS/UEFI. There
is no practical way around this “password” apart from cracking the case.

Prompt BIOS Password

Requiring
passwords

Organizations require passwords in order to access devices and
data on their network. Local machines can manage password requirements in the
Account settings (in the Group Policy Editor) for all accounts, as you will
see.

Account management

In the Windows environment, accounts can be managed using several
ways. In a business environment, Active Directory is used to manage both users
and devices. On a local machine, three options are available. First, Control
Panel > Users and Groups can be used to add or delete users, change
passwords, and elevate a standard user to an administrator or vice versa.

Control Panel User Account window

In addition, an online Microsoft account can be used to change the
username and password as well as setting up the account to be used on multiple
devices.

Second, the Computer Management Console can be used to manage local Users and Groups. Third, most comprehensive management can be performed using the Group Policy Editor, either through the group policy object snap-in or by typing gpedit.msc at the Run line.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Restricting
user permissions

The PoLP (Principle of Least Privilege) should always be
observed when assigning or restricting user accounts. Please ensure that the
user has functionality suitable for their job description without exceeding it.

Login time
restrictions

Restricting login hours for a user or group is a recommended way
to prohibit unauthorized access. Since these restrictions are generally
assigned to a user group, it is important to review the group membership in
order to determine if any group members require access outside normal business
hours.

Disabling
guest account

As mentioned earlier, the guest account is one of the built-in
accounts created on all Windows machines. The account name of the guest account
is widely known and as a result, compromises half of the security of this account.
All members of the guest group have privileges equivalent to the guest account.
In practice, it makes sense to disable the guest account.

Failed
attempts lockout

Group policy settings allow an administrator to set the number
of incorrect password attempts before the account is locked. The duration of
the lockout can also be set by the administrator and is variable.

Timeout/screen
lock
 (see also “Screensaver
required password” above)

The Screensaver can be set to increase security by accessing the
Screensaver Properties and selecting “On resume, display logon screen” as shown
below.

Set Screenlock

Basic Active Directory Functions

Active
Directory (AD) describes a collection of services and related databases in
Windows Server that can be used to control access to the Domains and the
activities permitted.

AD is used
to manage a Windows Domain using five services:

Active Directory Domain Services (AD DS)
authenticates user accounts and provides authorization for user activity in the
Domain.

Active Directory Certificate Services (AD
CS)
securely manages the identities of computers, users and services.

Active Directory Federation Services (AD FS)
is used with outside organizations to secure trust relationships.

Active Directory Rights Management Services
(AD RMS)
provides data security.

Active Directory Lightweight Directory
Services (AD LDS)
provides application security.

Together,
these services work together to organize the AD hierarchal structure from the
top down. Active Directory creates a
forest
consisting of all resources of a particular entity, such as a
company or school, organized at the highest level.

A typical
Active Directory Domain Server Dashboard interface is shown below. The tools
menu is activated with Active Directory Users and
Computers highlighted. User management is performed here.

Active Directory Dashboard

Account
creation

Computer
and user accounts are created and deleted using the Active Directory Users and
Computers snap -in found on the Server Manager Tools menu shown above. A new
user account can be created by right-clicking Users in the left pane and
choosing New.

New User

Disable account

In Active
Directory, the guest account is disabled by default. If the guest or any
account needs to be disabled, right-click the user, access the Account tab of
the user Properties, and check the Account is disabled box in the Account
Options section. In the image below, you can see that the Dumps4shared account is
disabled.

Disable account

Password reset/unlock
account

Password
management is a very common way for users to get locked out of their accounts.
Several incorrect login attempts will lock the account, requiring the admin to
unlock it. If the user is sure they know the password and got locked by
accident, often the issue can be traced to Num Lock or Caps Lock. Accounts can
be unlocked using the User Properties Tools tab as shown below.

Unlock account

If the user has forgotten their password, it will need to be reset. Close the properties, right-click the user, and choose Reset Password. A small Reset Password dialog (inset) will open where a one-time password can be assigned. The user will be required to change the password after they login.

Reset Password

Account
deletion

When a
user needs to be deleted, simply right-click the user in AD and choose Delete.Delete User

Delete User

Disable autorun

AutoRun and AutoPlay both allow removable devices, such as USB
drives and CD-ROMs, to automatically run executable files. This is a preferred
malware tool since an innocent looking executable file can be placed on a CD
and can be run without intervention. That’s just too easy.

An infected machine that accesses a USB drive or burns a CD will
put a copy of the malware on the media. When that disc or drive is placed in a
machine that is using AutoRun or AutoPlay, the malware is copied to the new
machine. Disable these features in Computer Management, Enable the turn off
Autoplay option, and set the AutoRun policy to Disable. Here is AutoPlay on a
removable device.

Autoplay

Data encryption

NTFS files and folders can be securely encrypted using the
Encrypted File System (EFS). When a folder is encrypted, all of its contents
including subfolders will be encrypted. This is set in Windows Explorer or File
Explorer by Right-click > Properties > General Tab> Advanced and
checking the box to Encrypt contents.

Data Encryption Enabled

Patch/update management

New problems and attacks are discovered on a daily basis. The only defense is to keep the system up-to-date with the latest AntiMalware definition and Operating System updates. The process may be automatic, but if it is not please check updates daily. That’s all for 2.7 and we hope it provided some insight. Good luck on the test!

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Pass Your IT Certification Exams With Free Real Exam Dumps and Questions

Full Version 220-1002 Dumps

Tagged ,