Skip to content
Gallery
Comptia A+ 1002:
Comptia A+ 1002
1.1 Compare and contrast common operating system types and their purpose
1.3 Summarize general OS installation and upgrade methods
1.5 Given a scenario, use microsoft operating systems features and tools
1.6 Given a scenario, use Windows Control Panel utilities
1.9 Given a scenario, use features and tools of the Mac OS and Linux client/desktop operating systems.
2.1 Summarize the importance of physical security measures
2.3 Compare and Contrast Wireless Security Protocols and Authentication methods
2.6 Compare and contrast the differences of basic Microsoft Windows OS security settings.
2.7 Given a scenario, implement security best practices to secure a workstation.
2.8 Given a scenario, implement methods for securing mobile devices.
Jason Dion's Practice Tests
3.1 Given a scenario, troubleshoot Microsoft Windows OS Problems
3.2 Given a scenario, troubleshoot and resolve PC security issues
3.5 Given a scenario, troubleshoot mobile OS and application security issues
4.1 Compare and Contrast best practices associated with types of documentations
4.2 Given a scenario, implement basic change management best practices
4.3 Given a scenario, implement basic disaster prevention and recovery methods
4.6 Explain the processes for addressing prohibited content/activity, and privacy, licensing, and policy concepts
4.8 Identify the basics of scripting
4.9 Given a scenario, use remote access technologies
More
Share
Explore

2.7 Given a scenario, implement security best practices to secure a workstation.

Password Best Practices
Requiring Passwords
Make sure that all the accounts on the network or even just locally on your PC require a password.
By default, windows OS requires any account that wants to connect to the network require a password.
Other Areas that need a password
The BIOS (basic/input/output) system and the UEFI (unified extensible firmware interface) should also require a password.
If an attacker has access to these, they could possibly bypass your security by changing some of the system settings.
Setting Strong Passwords
One of the most effective ways to keep a system safe is to use strong passwords and educate your users about their best practices.
Passwords should be as long and complex as possible.
Most security experts believe your password should be at least:
12 characters
1 Number
Contain 1 Upper + 1 Lower Case letter
1 Symbol (!@#$%^&*)
Example of a Complex Password: r)Jp-JkTT@;29~)y4
Password Complexity In Group Policy
When password complexity in group policy is enabled for the Windows OS, 3/4 categories for having a strong password are enabled:
lowercase
uppercase
numbers
symbols
Password Expiration
Any password can be cracked if given enough time. That’s why its good password practice to set a expiration date on each password that is created.
Passwords are also a one-factor form of identification, therefore passwords should be set to expire monthly, bi-monthly, semi-annual, or annually.
The more sensitive an account is, the more frequently the password should be changed.
Windows have a default password expiration date of 42 Days.
Account Management
Windows has multiple ways to manage user accounts
Active Directory
AD can be used to manage the users and devices
Computer Management MMC
Can be used to manage local users and local groups
Users & Groups Control Panel Applet
This control panel applet can be used to add/delete local users
Change passwords
Temporarily elevate standard users to administrative if need be
image.png
Group Policy Editor
The most comprehensive and powerful way to manage a company’s employee accounts
A windows admin tool used as a way to centrally configure many important settings on computers or on the whole network
You can implement a network wide change to all computers almost instantaneously through group policy
Or you can implement changes to only a specific group
image.png
Restricting User Permissions
When assigning user permissions, always use the principle of least privilege.
The principle of least privilege means: give users only the bare minimum that they need to do their job.
Also good practice to assign permissions to groups rather than to users because it’s more time-consuming and more tedious to try to manage each and every user by themselves
Make all users a member of at least one group or remove them from said groups
Setting Time Restrictions
Also good account management practice is to set login windows for all users
This will cause users to only have access to their accounts during the times that they are expected to be working.
This is effective against keeping hackers out who are trying to get into an account during the middle of the night
Access by going to AD → select ‘user account’ → and then click ‘Logon Hours’.
Account Expiration
You can also set the account to expire by going to the properties tab of the user.
Default setting is to set the account to never expire, but you can set a time/date for when you want them to expire.
Best used when there are contractors working on-site.
Disabling Guest Account
Guest accounts are automatically created when a version of windows is installed onto a PC.
An attacker can exploit this weakness by signing into the account and elevating the privileges or by finding another account so they can steal some sensitive information.
Windows 10 disables the Guest account by default, but you should always disable the guest account as good security practice.
Next, rename the default user accounts and change the default passwords for all the default windows account
Add them to the cycle of passwords that have to be changed frequently.
Disable interactive login
Failed Attempts Lockout
Its important to enable a lockout after too many failed login attempts
It can be a little more legwork for the helpdesk team who has to unlock each legitimate user who locks themselves out, but its another line of defense for a would-be malicious attacker!
It’s good practice to limit the user to 3 login attempts with a 5 min lockout period.
Anything higher than 3 login attempts increases the risk of a security breach.
Screensaver Passwords
You can have the most complex password known to man, but if a user gets up to take a quick bathroom break without locking their computer, then anybody can gain access to whatever that PC has to offer.
A screensaver should automatically start after a short period of idle time, and a password should be required to unlock it before the user can gain access again.
Adding a password-protected screensaver can ensure that if a workstation is left unattended, it will lock and require a password to gain access again.
Change Default Admin
Default accounts are created after every windows installation and they represent a major security weakness because everyone knows they exist.
The names and passwords for these accounts are almost universal, making it easy for an attacker to brute force their way in.
Ex. The default login credentials for an admin account is
Username: admin - Password: admin
You should honestly only ever have the default login credentials for an account after you’ve done a factory reset.
Changing the default username makes it more challenging for an attacker to try to guess the login credentials
Basic Active Directory Functions
The Active Directory MMC is a huge part of account management and account security. Here are a few actions you’ll be expected to perform
Creating Accounts
As new users enter your network, you’ll need to create new accounts for them in AD (onboarding process)
Creating a new account from scratch means you’ll have to manually enter in the name, title, group assignments, and profile settings.
Copying Accounts
Copying an existing account into a new account will cause the security settings and other useful settings to auto-populate for the new user.
At this point you just have to customize the AD account for the new user.
Deleting Accounts
As users leave your organization, you’ll need to offboard them and have their account exited from the network.
It’s very difficult to bring a deleted account back once deleted.
You can undo an account deletion, although it is rather difficult.
Password Reset/ Unlock Account
Resetting passwords and unlocking accounts is going to be the thing you do the most. If a user forgets their password and gets locked out, the help desk is the first person they call.
Password resets should only occur if the user actually forgot her password.
Disable Account
When accounts are no longer used but can’t be completely deleted either, the appropriate action to take is to just Disable them.
This can be done during a off-boarding process or just because of security policy.
Disable Autorun
External pluggable media will run and execute automatically once plugged into your computer.
This a major security concern and should be disabled asap.
The autorun.inf is the file that can causes malware to automatically run whenever a USB is placed into a PC.
Always disable the autorun feature on the workstation
Data Encryption
Data encryption is critical to exercising good security practice. If a laptop is stolen, the information on the laptop can be accessed by unauthorized attackers.
By using BitLocker and EFS to encrypt the laptop, the OS and data on the laptop becomes locked-up and inaccessible.
3 states of data that should be be encrypted.
Data in Use
Whenever data is written to a temporary location, meaning that it is in use
When the data is currently being updated, accessed, processed, erased, or read by the system; it should be encrypted
This state of data should always be encrypted because its moving through parts of the internal IT infrastructure
Accessing the data that is on the server
Ex. Requesting access to transaction history on a banking website or authorizing user login input are applications of data in use.
Data in Transit
Data in Transit is information traveling across the internet, across a private network, or from one device to another; to reach a permanent destination (server)
This is the most vulnerable state of data that can exist because it is literally data being transferred from one location to another. Should be encrypted most definitely.
vulnerable to data breaches
Ex: files shared with coworkers, data being uploaded to cloud applications, and data being sent to business associates
Data at Rest
A point where the data has reached it’s destination (a server most of the time) and is no longer in motion.
It should still be encrypted none the less.
Relatively low chances of attacks due to the state of the data being at literal “rest”.
Data could be considered more vulnerable because it is all in one spot.
It’s data that is stored at an offline location or stored in the cloud or server.
Patch/Update Management
When operating systems are installed, they are usually “point-in-time” snapshots of the current version of the OS.
From the time of the creation of a certain version of windows — to the time that it is installed —several vulnerabilities can be discovered. This is why patches and updates are so important.
Always patch a PC before deploying it to the network. This decreases the chances of attackers exploiting weaknesses in your OS + network.
Patches act as small, quick remediations to any vulnerabilities that are found in-between major updates.
Updates add new features not available in the current builds of an OS, while also addressing numerous security vulnerabilities all at once.
Patches fix a few problems, while updates tend to fix a lot of problems.
Vendors tend to release several patches each month following the release of the OS so they can stay on-top of any potential exploits.
Out-of-Band Patches are patches released outside of the normal release cycle.
Microsoft products are centrally patched and updated through the WSUS (Windows Server Update Services)

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.