Workstation Security Best Practices
The user represents the weakest link in the security chain, whether harm comes to them in the form of malware, social engineering, or simply avoidable mistakes. The workstation represents the digital arm of the user and must be properly and adequately secured to keep the user—and the network—protected.
There a number of best practices involved with securing a workstation. While a checklist could take many pages, depending upon your environment, CompTIA has identified seven that should appear on any roster:
- Set strong passwords.
- Require passwords.
- Restrict user permissions.
- Change default usernames.
- Disable the guest account.
- Make the screensaver require a password.
- Disable autorun functionality.
The following sections will explore these best practices in more detail.
Setting Strong Passwords
One of the strongest ways to keep a system safe is to employ strong passwords and educate your users in the best practices associated with them. Many password-generation systems are based on a one-way hashing approach. You can’t take the hash value and reverse it to guess the password. In theory, this makes it harder to guess or decrypt a password.
Passwords should be as long as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. If you use only the lowercase letters of the alphabet, you have 26 characters with which to work. If you add the numeric values 0 through 9, you’ll get another 10 characters. If you go one step further and add the uppercase letters, you’ll then have an additional 26 characters, giving you a total of 62 characters with which to construct a password.
If you used a 4-character password, this would be 62 × 62 × 62 × 62, or approximately 14 million password possibilities. If you used 5 characters in your password, this would give you 62 to the 5th power, or approximately 920 million password possibilities. If you used a 10-character password, this would give you 62 to the 10th power, or 8.4 × 1017 (a very big number) possibilities. As you can see, these numbers increase exponentially with each position added to the password. The 4-digit password could probably be broken in a fraction of a day, while the 10-digit password would take considerably longer and much more processing power.
If your password consisted of only the 26 lowercase letters from the alphabet, the 4-digit password would have 26 to the 4th power, or 456,000 password combinations. A 5-character password would have 26 to the 5th power, or over 11 million, and a 10-character password would have 26 to the 10th power, or 1.4 × 1014. This is still a big number, but it would take considerably less time to break it.
Mathematical methods of encryption are primarily used in conjunction with other encryption methods as part of authenticity verification. The message and the hashed value of the message can be encrypted using other processes. In this way, you know that the message is secure and hasn’t been altered.
Requiring Passwords
Make absolutely certain you require passwords (such a simple to thing to overlook in a small network) for all accounts, and change the default passwords on system accounts.
Restricting User Permissions
When assigning user permissions, follow the principle of least privilege (discussed earlier): Give users only the bare minimum they need to do their job. Assign permissions to groups rather than users, and make users member of groups (or remove them from groups) as they change roles or positions.
Changing Default Usernames
Default accounts represent a huge weakness because everyone knows they exist. When an operating system is installed—whether on a workstation or a server—certain default accounts are created., Knowing the names of those accounts simplifies the process of potential attackers accessing them because they only have to supply the password.
Disabling the Guest Account
When Windows is installed, one of the default accounts it creates is Guest and this represents a weakness that can be exploited by an attacker. While the account cannot do much, it can provide initial access to a system and the attacker can use that to find another account or acquire sensitive information about the system.
To secure the system, disable all accounts that are not needed, especially the Guest account. Next, rename the accounts if you can (Microsoft won’t allow you to rename some). Finally, change the passwords from the defaults and add them to the cycle of passwords that routinely get changed.
Screensaver Required Password
A screensaver should automatically start after a short period of idle time, and a password should be required before the user can begin the session again. This method of locking the workstation adds one more level of security.
Disable Autorun
It is never a good idea to put any media in a workstation if you do not know where it came from or what it is. The simple reason being that said media (CD, DVD, USB) could contain malware. Compounding matters, that malware could be referenced in the AUTORUN.INF file, causing it to be summoned when the media is inserted in the machine and requiring no other action. AUTORUN.INF can be used to start an executable, access a website, or do any of a large number of different tasks. The best way to prevent a user from falling victim to such a ploy is to disable the autorun feature on the workstation.
Microsoft has changed (by default, disabled) the function on Windows Vista and Windows 7, though running it remains the default action for PCs running Windows XP through Service Pack 3. The reason Microsoft changed the default action can be summed up in a single word: security. That text-based AUTORUN.INF file can not only take your browser to a web page, it can also call any executable file, pass along variable information about the user, or do just about anything else imaginable. Simply put, it is never a good idea to plug any media into your system if you have no idea where it came from or what it holds. Such an action opens up the user’s system—and the network—to any number of possible risks. An entire business’s data could be jeopardized by such a minuscule act if a harmful CD were placed in a computer at work by someone with elevated privileges.