Security Best Practices for Workstation Security

 

Security best practices for workstation security emphasize three issues:

 

Correct password usage and management User permissions

 

Disabling AutoPlay (may be referred to as Autorun on the CompTIA A+ 220-802 exam)

 

 

Passwords

 

The first step in maintaining workstation security is to require all accounts to have passwords. During the initial setup of a new computer, usernames, passwords, and password hints are typi-cally required. However, if additional users are added, passwords are optional unless local or group policy settings require them. Make this the rule: Every use needs a password (every user).

142 CompTIA A+ Quick Reference

 

The second step is to require users to have a strong password. A simple numeric or alphabetic sequence (12345678 or ABCDEFGH) is not a strong password. A strong password need not be longer than eight characters, but it needs these characteristics:

 

Randomness

 

Uppercase and lowercase letters Numbers/symbols

 

To avoid the unsightly spectacle (and major security breach) of sticky notes holding brain-busting passwords, the password should also be relatively easy to remember. If you do not want to make up your own, there are numerous websites that can generate one for you. Some can generate pro-nounceable passwords that are nevertheless quite secure.

 

The third step is to make sure the computer is locked when not in use. By requiring a password (and displaying the logon screen) to bring the computer out of screen saver mode (Figure 7-4) and by instructing users to lock the keyboard with the Windows key+L combination, the system is secure but can be brought back into operation in just a few seconds.

 

Figure 7-4 The Screen Saver dialog in Windows 7 after enabling the On Resume, Display LogonScreen feature.

 

The fourth step is to require passwords to be changed periodically. This can be enforced with through group policies in various versions of Windows Server.

Chapter 7: Security 143

 

User Permissions and Guest Accounts

 

New Technology File System (NTFS) allows file-level security that File Allocation Table 32 (FAT32) did not. After users are created, any folder or file can have custom privileges per user. Permission propagation applies the parent folder permissions to any child object (folders, files, and apps “inside” the parent folder). Tables 7-1 and 7-2 describe the various privileges and permis-sions.

 

Table 7-1 NTFS Permissions

Privilege	Description
Read	Users can only read contents.
Write	Makes changes to a file or folder contents.
Modify	Makes the folder or file read and writable.
Execute	Runs programs.
Full Control	Creates, modifies, and deletes files and programs.

 

 

Permissions regarding shared files and folders are a simplified version of NTFS permissions. Note that read in file-sharing permissions also allows the user to execute programs.

 

Table 7-2 Share Permissions

Permission	Description
Read	Allows users to read files and execute
Change	Allows users to view, create, change, and delete files
Full Control	Allows users to take ownership of files and change permissions

 

 

Windows XP supports many different levels of users (limited, administrators, power users, and others). Windows Vista and Windows 7 include only standard users, administrators, and guests. For security, the Guest account should be disabled in Windows Vista and Windows 7.

 

Disabling AutoPlay

 

The AutoPlay menu that appears when an external drive or removable media drive is connected to a Windows system is a convenience, but it can also pose a security threat because it can be used to start malicious programs stored on the drive.

 

AutoPlay and Autorun (which uses the autorun.inf file to automatically run a program on remov-able media) can be disabled through the group policies in Windows XP and later editions. On Windows XP and Windows Vista, some security updates need to be installed first to fully support disabling AutoPlay and Autorun.

144 CompTIA A+ Quick Reference