220-1102 Security Study Guide for the CompTIA A+ Core Series Exam

Basic Security Settings in Microsoft Windows® OS

Microsoft Windows provides useful settings that can be used to enhance security. It is important that you know their names and how they are used. Questions on this subject will be scenario based.

Defender Antivirus

Windows Defender or Windows Defender Antivirus is the Windows OS’s pre-installed antivirus software included in all recent versions of the OS.

Activate/Deactivate

Windows Defender can be activated and deactivated via the Virus and Threat Protection settings by clicking on Manage Settings. Specific aspects of the Defender can also be activated and deactivated as needed, such as real-time protection and cloud-delivered protection.

Updated Definitions

To maintain the most current malware definitions and signatures, Defender needs to be updated regularly. Windows Defender as well as its definitions are updated through the Windows Update process.

Firewall

Windows Defender Firewall is a host-based firewall designed to block access from the network. Defender Firewall can be specified to protect the domain network, private network, and public network separately.

Activate/Deactivate

Windows Defender Firewall can be activated or deactivated easily through Firewall and Network Protection. Windows Firewall blocks incoming connections by default.

Port Security

Windows Defender Firewall allows for the creation of specific rules for specific ports as needed, providing advanced port security.

Application Security

By default, the Windows Defender Firewall creates a pop-up when applications attempt to listen in on a port for incoming connections. If allowed, Firewall will create a new rule for the application, allowing it through. Allowed applications can be managed through Firewall and Network Protection.

Users and Groups

As mentioned previously, users will not all require the same level of access control. Windows permissions is a critical part of access control.

Local vs. Microsoft Account

Using a Microsoft account on a device allows for synchronization between the device and all data stored in the Microsoft Cloud. A local account does not provide this synchronization and requires manual setup for synchronization.

Standard Account

Most users will fall into the standard account category. A standard account will have varying permissions based upon roles and groups set by the administrator.

Administrator

Administrator accounts have complete power over the OS. Administrator accounts should be reserved for those who absolutely require them. The more administrators that exist on a network, the more room for error. An administrator will have access to everything.

Guest User

The guest account on Windows is an account that exists on every Windows machine. It’s a very low-privilege account that can be used for individuals who only need occasional access to the device.

Power User

A power user account is one step down from an administrator account. It is the second most powerful account type within the Windows OS. A power user can be given read and write permissions but will not be able to change OS system files.

Login OS Options

The Window OS provides multiple methods of login options requiring various levels of authentication.

Username and Password

One highly common method of authentication is the use of a username and password combination to identify the user and the permissions associated with the user.

Personal Identification Number (PIN)

A PIN is a password designed for simplifying the login process while still retaining security. A PIN is also often used in two-factor authentication (2FA) and multi-factor authentication (MFA).

Fingerprint

A fingerprint scanner is a biometric method of authentication that can be used as a stand-alone authentication method or in 2FA/MFA.

Facial Recognition

Facial recognition uses facial-scanning technology to identify a user and can be used as a standalone authentication method or in 2FA/MFA.

Single Sign-On (SSO)

SSO is an authentication technique that uses a single authentication method to provide access to all applications and systems that the user may need, reducing the need for the user to remember multiple login and password credentials for various applications.

New Technology File System (NTFS) vs. Share Permissions

The NTFS should be used whenever possible as it will provide the most control over data resources. The advantage of using NTFS permissions over share permissions is that they are applied to both local users and network users and they are based on the permissions granted to an individual user at the Windows logon. Share permissions are not applied to users who log in locally to the machine.

File and Folder Attributes

It’s possible to encrypt individual files and folders on a computer using the Encrypted File System (EFS) that is built into professional versions of Windows. This can be done from the Advanced Attributes dialog box for the files and folders.

Inheritance

Rather than needing to specify permissions on each and every file and folder, administrators can configure inheritance. Inheritance allows files and folders within another folder to inherit the permissions of the top-level folder.

Run as Administrator vs. Standard User

Running the system as administrator allows for complete access and control while a standard user has more limited access and permissions. The administrator mode should only be used if absolutely necessary since running as administrator provides complete access to the system. The standard user should be used for daily activities.

User Account Control (UAC)

When a user wants to run a program that requires an administrator to run, they’ll receive a UAC pop-up. This pop-up will request an administrator password before the program will run. UAC can be beneficial as it forces an administrator to approve a program before it is run or installed. This can come in handy when users who are not particularly tech savvy try to download or run programs that might end up being malicious.

Encrypting File System (EFS)

The EFS is a feature that is available in professional versions of Windows. EFS makes it possible to encrypt individual files and folders with just the click of a button. EFS can be configured in the Advanced Attributes dialog box of a file or folder.

BitLocker®

BitLocker is a program that offers full drive encryption. Unlike EFS, which encrypts individual files, BitLocker encrypts the entire drive. BitLocker relies on the computer having a Trusted Platform Module (TPM) chip to function.

BitLocker To Go®

BitLocker To Go is an encryption method like BitLocker that allows you to encrypt removable/portable drives, such as external hard drives and USB drives. Unlike the full version BitLocker , BitLocker To Go does not require a TPM chip.

Workstation Security

During the test, you will need to be able to take a given scenario about a workstation and develop appropriate security measures on a “best practice” level to optimally secure that workstation. Here is some relevant information.

Data-At-Rest Encryption

For comprehensive security, it is recommended to encrypt data at all times, even when data is at rest. This protects data within the network in case of breach.

Password Best Practices

Passwords are one of the first lines of defense against an attacker. It’s important to set strong and memorable passwords.

Complexity Requirements

Password best practices should include complexity requirements that deter users from creating short, simple, and easily cracked passwords.

Length

Setting longer password-length requirements increases the security of the passwords. Most security experts feel that a 12 character minimum should be set, although many organizations use an eight-character length requirement.

Character Types

Requiring multiple character types in a password increases its security. These character types may include digits, upper and lowercase letters, or special characters, such as % or @.

Expiration Requirements

Users should be required to change their password at regular intervals. This is enforced using a password-expiration policy. Common intervals are every 30, 60, or 90 days.

Basic Input/Output System (BIOS)/Unified Extensible Firmware Interface (UEFI) Passwords

BIOS and UEFI passwords can be set to prevent individuals from gaining unauthorized access to the BIOS configuration.

End-User Best Practices

Educating the end-user about cybersecurity best practices is critical to network security. It is important that all users receive this education.

Use Screensaver Locks

For individuals who use screensavers, it’s a good idea to set a screensaver password. This will require a password to reenter the computer after the screensaver has come up. The screensaver then works similarly to locking the computer.

Log Off When Not in Use

Cybersecurity best practices include training end-users to log off of network-connected devices when not in use.

Secure/Protect Critical Hardware

Critical hardware (e.g., laptops) should be equipped with multiple security measures, such as logon time restrictions, time-out policies, and failed-login lockouts.

Secure Personally Identifiable Information (PII) and Passwords

Passwords and PII can be easily extracted through end-user negligence, such as writing a password on a sticky note or leaving printouts with PII on printers in an easily accessible area. Users should be instructed not to do these things.

Account Management

Administrators are in charge of ensuring the security of workstations using various policies. They define these policies and monitor and enforce them. The following are important considerations regarding account management.

Restrict User Permissions

Organizations should always use the principle of least privilege. This means that users should only be given access to the resources that they need in order to complete their jobs and nothing more. Having strong permissions helps to prevent unauthorized access whether intentional or accidental.

Restrict Login Times

If your organization only has users working between certain hours of the day (for example, between 9 a.m. and 5 p.m.), one good security restriction to put in place is logon time restrictions. It’s possible to put policies in place that restrict users from logging into a computer outside their normal working hours.

Disable Guest Account

The Guest account on Windows machines is a low-privilege account for guest users. If this account will not be used, it’s best to immediately disable it. Even though it is a low-privilege account, attackers have ways to escalate privilege if they are given access to a machine.

Use Failed Attempts Lockout

A common way to combat brute-force password attacks is to implement a lock-out policy. After a specified number of failed attempts at logging in, the account will lock and an administrator will have to unlock it.

Use Screen Lock/Timeout

Leaving a computer unlocked while you are away is dangerous. Any person can come up and begin working on your computer without your knowledge. For this reason, organizations should implement a screen lock or screen timeout policy. This policy would force the computer to lock after a few minutes of inactivity.

Change Default Administrator’s User Account/Password

Default passwords should never be used in any circumstances. It’s best to immediately change default passwords or disable default accounts altogether and create new accounts.

Disable AutoRun

Certain programs or discs will run immediately when put into the computer. It is best practice to disable the AutoRun and AutoPlay features on the operating system. This is because it gives you time to evaluate the item before allowing it to run on the PC.

Disable AutoPlay

AutoPlay is disabled by default in the Windows OS. AutoPlay does not look in the autorun.inf file for permissions and will prompt the user to choose to execute or not.