kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial Core 2 study project

Browse source
This commit is contained in:
Ken Patmonk 2026-06-11 20:17:44 -05:00
commit 10de90430c
120 changed files with 12696 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

307
notes/SEC-7-workstation-hardening.md Normal file
View file

@ -0,0 +1,307 @@
# SEC-7: Workstation Hardening
Status: not started
Domain:
- 2.0 Security
Objective alignment:
- 2.7 Workstation hardening
## What You Need To Know
Hardening means reducing the attack surface. On the exam, choose the setting that makes the workstation harder to misuse, steal from, or compromise.
Core hardening areas:
- Data encryption
- Password policy
- Password managers
- Account management
- Screen lock and failed login controls
- Default account/password changes
- BIOS/UEFI passwords
- AutoRun/AutoPlay
- Unused services
- Physical device security
## Memory Trick
Use **E-P-A-L-D-S**:
- **E**ncrypt data
- **P**asswords strong and managed
- **A**ccounts limited
- **L**ock screen/login controls
- **D**isable defaults and AutoPlay
- **S**ervices reduced
Attack surface shortcut:
- **If you do not need it, disable it.**
## Data Encryption
Full-disk encryption:
- Encrypts the whole drive/volume.
- Windows example: BitLocker.
- macOS example: FileVault.
File-system encryption:
- Encrypts individual files/folders.
- Windows example: EFS on NTFS.
Removable media encryption:
- Protects USB drives.
- Windows example: BitLocker To Go.
Key backup:
- Encryption is only useful if recovery keys are protected and available.
- Lost keys can mean lost data.
## Password Controls
Password complexity:
- Mix character types.
- Avoid obvious words and reused passwords.
Password length:
- Longer is usually stronger.
- Passphrases are easier to remember and harder to brute force.
Password age/expiration:
- Controls how long passwords can be used.
- Some environments require periodic changes.
Password history:
- Prevents users from reusing recent passwords.
Default passwords:
- Change default usernames/passwords on devices, routers, apps, and admin portals.
No blank passwords:
- Always require passwords.
No automatic login:
- Do not let systems bypass authentication.
Password managers:
- Store many unique passwords in an encrypted vault.
- Enterprise password managers can support recovery and central policy.
## Account Management
Least privilege:
- Users should not run as administrators for daily work.
Groups:
- Assign permissions to groups, then add users to groups.
Disable unnecessary accounts:
- Disable guest or unused accounts.
- Disable interactive login for service accounts when possible.
Login time restrictions:
- Limit when accounts can sign in.
- Useful for contractors or temporary workers.
Account expiration:
- Automatically disable temporary accounts after a date.
Failed login lockout:
- Locks account after too many failed attempts.
- Reduces online brute force attacks.
## Locking and Physical Security
Screen lock:
- Automatically lock after inactivity.
- Require password/PIN/biometric to unlock.
Secure critical hardware:
- Use cable locks, locked rooms, asset tracking, and physical controls for laptops and sensitive devices.
Privacy screens:
- Reduce shoulder surfing.
## BIOS/UEFI Passwords
Supervisor/administrator password:
- Prevents unauthorized firmware setting changes.
User/boot password:
- Can prevent booting without credentials.
Exam clue:
- If the attacker might change boot order or firmware settings, think BIOS/UEFI password.
## AutoRun and AutoPlay
AutoRun:
- Automatically runs instructions from removable media.
- Legacy risk.
AutoPlay:
- Prompts or acts when removable media is inserted.
- Disable or restrict to reduce removable-media risk.
## Disable Unnecessary Services
Every service is potential attack surface.
Examples:
- Remote access service not used
- Old print/file sharing service
- Vendor updater no longer needed
- Unused web/database service
Rule:
- Disable only after confirming business impact.
## Commands To Enter
Windows:
```powershell
manage-bde -status
```
What it does:
- Shows BitLocker encryption status.
```powershell
net user
```
What it does:
- Lists local user accounts.
```powershell
net accounts
```
What it does:
- Shows local password and lockout policy.
```powershell
net localgroup administrators
```
What it does:
- Shows local Administrators group members.
```powershell
services.msc
```
What it does:
- Opens Services.
- Use it to inspect services. Do not disable services without knowing impact.
```powershell
ms-settings:autoplay
```
What it does:
- Opens AutoPlay settings.
```powershell
rundll32.exe user32.dll,LockWorkStation
```
What it does:
- Locks the workstation.
Linux:
```bash
id
```
What it does:
- Shows user and group identity.
```bash
sudo -l
```
What it does:
- Shows sudo privileges if allowed.
```bash
systemctl --type=service --state=running
```
What it does:
- Lists running services.
```bash
lsblk -f
```
What it does:
- Shows block devices and filesystem details.
macOS, if available:
```bash
fdesetup status
```
What it does:
- Shows FileVault encryption status.
```bash
id
groups
```
What it does:
- Shows user/group identity.
## Mini Lab
Goal:
- Inspect workstation hardening without making risky changes.
Windows:
1. Run `manage-bde -status`.
2. Run `net accounts`.
3. Run `net user`.
4. Run `net localgroup administrators`.
5. Run `services.msc`.
6. Run `ms-settings:autoplay`.
7. Lock the workstation with `rundll32.exe user32.dll,LockWorkStation` when ready.
8. Record:
- BitLocker status:
- Password lockout policy:
- Local admin members:
- AutoPlay enabled/disabled:
- One service you would research before disabling:
Linux:
1. Run `id`.
2. Run `sudo -l`.
3. Run `systemctl --type=service --state=running`.
4. Record:
- Groups:
- Sudo access:
- One running service to research:
Hardening scenario:
- A contractor leaves next Friday.
- A laptop is used in airports.
- USB drives are often plugged into shared computers.
- A workstation runs an old unused service.
- A local account still uses a vendor default password.
For each, choose the best hardening action.
## Quick Check Before Quiz
You are ready for the SEC-7 quiz when you can answer these without looking:
- What does full-disk encryption protect?
- Why change default passwords?
- Why disable unused services?
- What does account lockout prevent?
- What does AutoPlay/AutoRun risk involve?
- What should be checked before disabling a service?