Topic 8A: Configure Workstation Security
QUIZ: What type of account management policy can protect against password-guessing attacks?
A lockout policy disables the account after a number of incorrect sign-in attempts.
Password Best Practices:
One of the first pillars of workstation security is ensuring that only authorized users can operate the computers connected to the network. Effective user security depends on strong credential management, effective account policies, and best practice end-user behavior. Password-based authentication systems have a long history of vulnerability. Some of this ineffectiveness is due to inadequate technologies and some due to poor user password practice. As not all companies can make the switch to multifactor sign-in, password best practice is still a key security requirement. The biggest vulnerability of knowledge factor authentication to cyberattack is the use of weak passwords. A threat actor might use dictionary files containing popular words and phrases or strings from breached password databases to compromise account credentials. Once a threat actor obtains a password, she or he can gain access to a system posing as that person.
QUIZ: A security consultant has recommended more frequent monitoring of the antivirus software on workstations. What sort of checks should this monitoring perform?
That the antivirus is enabled, is up to date with scan engine components and definitions, and has only authorized exclusions configured.
QUIZ: True or false? An organization should rely on automatic screen savers to prevent lunchtime attacks.
alse. A lunchtime attack is where a threat actor gains access to a signed-in user account because the desktop has not locked. While an automatic screensaver lock provides some protection, there may still be a window of opportunity for a threat actor between the user leaving the workstation unattended and the screensaver activating. Users must lock the workstation manually when leaving it unattended.
Windows Defender Antivirus Updated Definitions: It is particularly important that antivirus software be updated regularly. Two types of updates are generally necessary:
-Definition/pattern updates are information about new viruses or malware. These updates may be made available daily or even hourly. -Scan engine/component updates fix problems or make improvements to the scan software itself. For Windows Defender Antivirus, these definitions and patches are delivered via Windows Update. Third-party software might also integrate its updates with Windows Update, or it might use its own updater.
Account Policies: Account policies supplement best practice behavior by enforcing requirements as controls imposed by the OS. On a standalone workstation, password and account policies can be configured via the Local Security Policy snap-in (secpol.msc) or the Group Policy Editor snap-in (gpedit.msc). On a Windows domain network, settings can be defined as group policy objects (GPO) and applied to groups of user and computer accounts within domains and organizational units (OUs).
-Restrict login times—This is typically used to prevent an account from logging in at an unusual time of the day or night or during the weekend. Periodically, the server checks whether the user has the right to continue using the network. If the user does not have the right, then an automatic logout procedure commences. -Failed attempts lockout—This specifies a maximum number of incorrect sign-in attempts within a certain period. Once the maximum number of incorrect attempts has been reached, the account will be disabled. This mitigates the risk of threat actors gaining system access using lists of possible passwords. -Concurrent logins—This sets a limit to the number of simultaneous sessions a user can open. Most users should only need to sign-in to one computer at a time, so this sort of policy can help to prevent or detect misuse of an account. -Use timeout/screen lock—This locks the desktop if the system detects no user-input device activity. This is a sensible, additional layer of protection. However, users should not rely on this and must lock the computer manually when leaving it unattended. If a user account violates a security policy, such as an incorrect password being entered repeatedly, it may be locked against further use. The account will be inaccessible until it is unlocked by setting the option in the Properties dialog box on the Account tab. If a user forgets a password, you can reset it by right-clicking the account and selecting Reset Password.
Password Rules: The following rules are easy for users to apply and make passwords more difficult to crack:
1. Make the password sufficiently long—12+ character length is suitable for an ordinary user account. Administrative accounts should have longer passwords. 2.Choose a memorable phrase, but do not use any personal information—Anything that a threat actor could discover or guess should not be used in a password. This includes things such as significant dates, family names, username, job title, company name, pet name, quotations, and song lyrics.
Disable Guest Account:
A guest account allows unauthenticated access to the computer and may provide some sort of network access too. In current versions of Windows, the Guest account is disabled by default and cannot be used to sign-in. It is only enabled to facilitate passwordless file sharing in a Windows workgroup. You should monitor other operating systems and features such as guest Wi-Fi and disable them if they do not comply with security policies.
Account Management:
Account management policies are used to determine what rights and privileges each employee should be assigned. These policies should be guided by the principle of least privilege.
BIOS/UEFI Passwords:
A system user password is one that is required before any operating system can boot. The system password can be configured by the basic input/output system (BIOS ) or unified extensible firmware interface (UEFI) setup program. This type of firmware-configured password is shared by all users and consequently is very rarely used. It might be used to provide extra security on a standalone computer that does not often require interactive logon, such as a computer used to manage embedded systems. A PC with UEFI firmware may support pre-boot authentication. This means that the system loads an authentication application to contact an authentication server on the network and allows the user to submit the credentials for a particular account.
Restrict User Permissions:
An OS's access control system assigns two types of permissions to a user account: -File permissions control whether a user can read or modify a data file or folder, either on the local PC or across the network. Configuring file permissions is the responsibility of the data owner or file server administrator. -Rights or privileges control what system configuration changes a user can make to a PC. Configuring rights is the responsibility of the network owner. Some networks have complex requirements for assigning rights, but the basic principle is that the number of accounts with administrator/superuser privileges should be as few as possible. These highly privileged accounts should be further protected by features such as UAC and sudo. For both file permissions and rights, a system of least privilege will be most effective in reducing risk.
Windows BitLocker and BitLocker to go:
An alternative to file encryption is to use a full disk encryption (FDE) product. The Windows BitLocker disk encryption product is available with all editions of Windows except for the Home edition. Full disk encryption carries a processing overhead, but modern computers usually have processing capacity to spare. The main advantage is that it does not depend on the user to remember to encrypt data. Disk encryption also encrypts the swap file, print queues, temporary files, and so on. BitLocker can be used with any volumes on fixed (internal) drives. It can also be used with removable drives in its BitLocker To Go form. When the data is encrypted, the user must have access to the encryption key to access it. BitLocker can make use of a trusted platform module (TPM) chip in the computer to tie use of a fixed disk to a particular motherboard. The TPM is used as a secure means of storing the encryption key and to ensure the integrity of the OS used to boot the machine. Alternatively, the key could be stored on a removable smart card or on a USB stick. The computer's firmware must support booting from USB for the last option to work. During BitLocker setup, a recovery key is also generated. This should be stored on removable media (or written down) and stored securely (and separately from the computer). This key can be used to recover the encrypted drive if the startup key is lost.
Execution Control:
Authentication and authorization policies give subjects the right to sign-on to a computer and network and (potentially) to make changes to the system configuration. This places a certain amount of trust in the user to exercise those rights responsibly. Users can act maliciously, though, or could be tricked into an adverse action. Execution control refers to logical security technologies designed to prevent malicious software from running on a host regardless of what the user account privileges allow. Execution control can establish a security system that does not entirely depend on the good behavior of individual users.
QUIZ: You are completing a checklist of security features for workstation deployments. Following the CompTIA A+ objectives, what additional item should you add to the following list, and what recommendation for a built-in Windows feature or features can you recommend be used to implement it? Password best practices End-user best practices Account management Change default administrator's user account/password Disable AutoRun/AutoPlay Enable Windows Update, Windows Defender Antivirus, and Windows Defender Firewall
Data-at-rest encryption. In Windows, this can be configured at file level via the Encrypting File System (EFS) or at disk level via BitLocker.
Windows Defender Antivirus:
Even with UAC and execution control, there are still plenty of ways for malware to install onto a PC. A program might use particularly effective social engineering techniques to persuade the user to bypass the normal checks. The malware might exploit a vulnerability to execute without explicit consent. Malware might also not need to install itself to achieve threat-actor objectives, such as exfiltrating data, weakening the system configuration, or snooping around the network. Antivirus (A-V) is software that can detect malware and prevent it from executing. The primary means of detection is to use a database of known virus patterns called definitions, signatures, or patterns. Another technique is to use heuristic identification. "Heuristic" means that the software uses knowledge of the sort of things that viruses do to try to spot (and block) virus-like behavior. Most antivirus software is better described as anti-malware, as it can detect software threats that are not technically virus-like, including spyware, Trojans, rootkits, ransomware, and cryptominers. The broad range of threats posed by different types of malware and vulnerability exploits means that an anti-malware software solution is a critical component of workstation security. Windows Defender Antivirus is a core component of all Windows editions. Windows Defender Antivirus is managed via the Windows Security Center.
End User Best Practices:
Good password practice should be supplemented with secure use of the workstation. Some key principles are as follows: -Log off when not in use—A lunchtime attack is where a threat actor is able to access a computer that has been left unlocked. Policies can configure screensavers that lock the desktop after a period of inactivity. Users should not depend on these, however. In Windows, START+L locks the desktop. Users must develop the habit of doing this each time they leave a computer unattended. -Secure/protect critical hardware (such as laptops)—Users must also be alert to the risk of physical theft of devices. Portable computers can be secured to a desk using a cable lock. When in public, users must keep laptop cases in sight. -Secure personally identifiable information (PII) and passwords—Paper copies of personal and confidential data must not be left where they could be read or stolen. A clean desk policy ensures that all such information is not left in plain sight. Also, this type of information should not be entered into unprotected plain text files, word processing documents, or spreadsheets.
AutoRun and AutoPlay:
One of the problems with legacy versions of Windows is that when an optical disc is inserted or a USB drive is attached, Windows would automatically run commands defined in an autorun.inf file stored in the root of the drive. A typical autorun.inf would define an icon for a disk and the path to a setup file. This could lead to malware being able to install itself automatically. In modern versions of Windows, an AutoPlay dialog box is shown, prompting the user to take a particular action. AutoPlay settings can be configured via a drive's property dialog box. Also, UAC will require the user to explicitly allow any executable code to run. There is a Windows Settings page to configure default AutoPlay actions.
Activating and Deactivating Windows Defender Antivirus:
The nature of malware means that there should be no simple means of deactivating an antivirus product, or the malware could easily circumvent it. Defender Antivirus can be disabled temporarily by toggling the Real-time protection button. It will re-activate itself after a short period. If a third-party antivirus product is installed, it will replace Windows Defender Antivirus. It can also be permanently disabled via group policy. It might be necessary to exclude folders from scanning. For example, scanning the disk images of virtual machines can cause performance problems. Also, some legitimate software or development code can trigger false-positive alerts. Folders containing this type of data can be excluded from scanning. It is important to check the status of the antivirus product regularly to ensure that it is activated and up to date.
Change Default Administrator Account and Password:
The root or superuser in Linux or the Administrator user account in Windows is the default system owner. These default accounts have no practical limitations and consequently are the ultimate target for threat actors. In many cases, these default accounts are disabled during the OS installation and their privileges exercised by named administrator accounts using tools such as UAC and sudo. If the default administrator account cannot be disabled, it must never be left configured with a default password. The new password must be treated with highest level of security available. Ideally, the password should be known by one person only. Sharing administrative passwords is a security risk. Any use of the default administrator account must be logged and accounted for. Using this account for sign-in should be an unusual event that generates an alert. For separation of duties, the person operating the default administrator account must not be able to disable this accounting.
Trusted/Untrusted Software Sources:
To prevent the spread of malware such as Trojans, it is necessary to restrict the ability of users to run unapproved program code, especially code that can modify the OS, such as an application installer. Windows uses the system of Administrator and Standard user accounts, along with User Account Control (UAC) and system policies, to enforce these restrictions. Developers of Windows applications can use digital certificates to perform code signing and prove the authenticity and integrity of an installer package. Linux also prompts when you attempt to install untrusted software. Software is signed with a cryptographic key. Packages need the public key for the repository to install the software. When prompted that you are installing untrusted software, you can either respond that you want to install it anyway or cancel the installation. Mobile OS vendors use this "walled garden" model of software distribution as well. Apps are distributed from an approved store, such as Apple's App Store or the Windows Store. The vendor's store policies and procedures are supposed to prevent any Trojan-like apps from being published. There are also third-party network management suites to enforce application control. This means configuring blocklists of unapproved software (allowing anything else) or allowlists of approved software (denying anything else).
Encrypting File System:
When data is hosted on a file system, it can be protected by the operating system's security model. Each file or folder can be configured with an access control list (ACL), describing the permissions that principals have on the file. These permissions are enforced only when the OS mediates access to the device. If the disk is exposed to a different OS, the permissions could be overridden. Data on persistent storage—HDDs, SSDs, and thumb drives—is referred to as data-at-rest. To protect data-at-rest against these risks, the information stored on a disk can be encrypted. One approach to protecting file system data is to apply encryption to individual files or folders. The Encrypting File System (EFS) feature of NTFS supports file and folder encryption. EFS is not available in the Home edition of Windows. To apply encryption, open the file's or folder's property sheet and select the Advanced button. Check the Encrypt contents box, then confirm the dialogs. Folders and files that have been encrypted can be shown with green color coding in Explorer. Any user other than the one who encrypted the file will receive an "Access Denied" error when trying to browse, copy, or print the file. Folders and files that have been encrypted can be shown with green color coding in Explorer. Any user other than the one who encrypted the file will receive an "Access Denied" error when trying to browse, copy, or print the file. Without strong authentication, encrypted data is only as secure as the user account password. If the password can be compromised, then so can the data. The user's password grants access to the key that performs the file encryption and decryption. There is also the chance of data loss if the key is lost or damaged. This can happen if the user's profile is damaged, if the user's password is reset by an administrator, or if Windows is reinstalled. It is possible to back up the key or (on a Windows domain) to set up recovery agents with the ability to decrypt data.
Windows Defender Firewall:
Where the antivirus product protects against threats in the file system, Windows Defender Firewall implements a personal/host firewall to filter inbound and outbound network traffic. The basic Settings app interface allows you to activate or deactivate the firewall for a given network profile and to add exceptions that allow a process to accept inbound connections. The Windows Defender Firewall with Advanced Security console allows configuration of custom inbound and outbound filtering rule. For each profile type, the default inbound and outbound policy can be set to block or allow. Each rule can be configured as a block or allow action to override the default policy for trigger ports, applications, and/or addresses: -Port security triggers are based on the Transmission Control Port (TCP) or User Datagram Protocol (UDP) port number used by the application protocol. For example, blocking TCP/80 prevents clients from connecting to the default port for a web server. -Application security triggers are based on the process that listens for connections. -Address triggers are based on the IP or FQDN of the server or client hosts. The Advanced Firewall can be configured through group policy on a domain. On a standalone PC or workgroup, open the wf.msc management console. On the status page, you can click Windows Defender Firewall properties to configure each profile. The firewall can be turned on or off, and you can switch the default policy for inbound and outbound traffic between Block and Allow . From the main Advanced Firewall console, you enable, disable, and configure rules by selecting in the Inbound Rules or Outbound Rules folder as appropriate.