2.6 Given a scenario, configure a workstation to meet best practices for security

  • Data-at-rest Encryption
  • Password Best Practices
    • Complexity Requirements
      • Length
      • Character Types
    • Expiration Requirements
    • Basic Input / Output System (BIOS) / Unified Extensible Firmware Interface (UEFI) Passwords
  • End-User Best Practices
    • User Screensaver Locks
    • Log Off When Not In Use
    • Secure / Protect Critical Hardware (e.g. laptops)
    • Secure Personally Identifiable Information (PII) and Passwords
  • Account management
    • Restrict User Permissions
    • Restrict Login Times
    • Disable Guest Account
    • Use Failed Attempts Lockout
    • Use Timeout / Screen Lock
  • Change Default Administrator’s User Account / Password
  • Disable AutoRun
  • Disable AutoPlay

There are different ways and scenarios to encrypt data.  At any time, data is either at rest (being stored), in transit, or in processing.  Data should always be encrypted.

  • At Rest.  At rest, data should be encrypted.  We encrypt data at rest because there is a risk that the storage medium can be stolen.  When stolen, the data can be read.

We first select an encryption algorithm and create an encryption key.  When the data is written to the storage medium, the algorithm is used to encrypt the data.  We may break up our storage medium into different partitions, and we may use a different key for encrypting the data in each algorithm.

The keys are stored in a secure location.  Access to a key is controlled and logged.  In other words, when you attempt to access the data, the system checks whether you have the right to access the data.  If you do, then the system obtains the corresponding key and decrypts the data.  You – the user – will probably never see the actual key.

As discussed, we can use BitLocker or EFS to encrypt data at rest.

  • In Transit.  In transit, data should be encrypted.  When transporting data, the sender and receiver should agree on an encryption method and generate a key.  The sender encrypts the data, and the receiver decrypts the data.

    As soon as the receiver decrypts the data, it encrypts it with a new algorithm and key appropriate for storing it.

  • In Processing.  In processing (also known as in use), data should be encrypted.  In practice, this is more difficult to implement than encryption at rest or encryption in transit.  It attempts to encrypt data that is stored in the RAM or in a CPU cache.

    It is important to secure data in use because it could contain encryption keys and personal information.  If the RAM is removed from the computer and quickly frozen, it can be read.  This would allow a hacker to extract encryption keys and other types of information. 

Password Best Practices

Some password best practices

  • Choose a strong password that includes

    • Numbers
    • Capital & lowercase letters
    • Special characters

  • Choose a strong password that does not include

    • Your name, address, or other personal information
    • Common words such as “password” or “1234”
    • Previously used passwords
    • Passwords used in other locations/organizations

  • Set passwords to expire after a specific time (30 days or 90 days)

    • The user will be required to change his password when it expires

  • BIOS/UEFI

    • Set a strong password for the BIOS
    • It is important to protect the BIOS because it contains settings for secure boot, boot sources, and the TPM
    • Unlike Windows passwords, the BIOS password can’t be managed centrally through Active Directory, although some BIOSs will lock the user out after several failed attempts

  • Passwords should be required to access any computer resource.  Guest accounts should be disabled.

Account Management

Some account management best practices

  • Restrict user permissions to only those that they specifically require

    • It may be easier to manager users in groups based on their roles in the organization

  • Restrict logon times

    • A user can be restricted from logging in to a computer during certain times (for example evenings and weekends), unless required for their job.
    • A cashier who has a specific shift can be restricted from logging in at another time for example

    • This is not always practical for employees who are workaholics, such as engineers and lawyers

  • Disable the guest account

    • Disable the guest account

    • The guest account allows users to log in without a username or password

  • Set accounts to expire

    • A user account should expire when the user leaves the organization

  • Failed attempts lockout

    • Lock the account after three failed attempts (automatically)

    • If the user enters an incorrect password after several attempts, the account is automatically locked.  The account can be automatically unlocked after some time or may require an administrator to unlock it.

  • Screen lock

    • Lock the screen after a specific period of inactivity

    • If the user leaves the computer, it will automatically lock

  • Change default admin account

    • Change the default admin account username and password so that it can’t be guessed

    • The local admin account can be used to unlock the computer in circumstances where it loses connectivity to the domain controller; disabling the account even when the computer is on a domain may not be a good idea.

    • In Active Directory, an algorithm can be used to change the local admin account’s default password each day.  The password is generated from the computer’s name and current date/time.

    • Restrict what the default admin account can do

    • Change the default admin account for other devices such as modems, printers, and surveillance cameras

  • Disable Autorun

  • Autorun allows Windows to automatically play/execute content from a USB drive, CD-ROM, or DVD as soon as you insert it

  • The content could be malicious.  You should not trust the data on random USB drives, CD-ROMs, or DVDs.

  • Disable autorun to prevent Windows from automatically executing the content

  • Encryption

    • It’s possible to make data encryption mandatory (for example require BitLocker to be enabled)

  • Patch/Update Management

    • It’s possible to require computers under management to automatically install Windows updates, and security updates for other applications