307 lines
6.1 KiB
Markdown
307 lines
6.1 KiB
Markdown
# SEC-7: Workstation Hardening
|
|
|
|
Status: not started
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Objective alignment:
|
|
- 2.7 Workstation hardening
|
|
|
|
## What You Need To Know
|
|
|
|
Hardening means reducing the attack surface. On the exam, choose the setting that makes the workstation harder to misuse, steal from, or compromise.
|
|
|
|
Core hardening areas:
|
|
- Data encryption
|
|
- Password policy
|
|
- Password managers
|
|
- Account management
|
|
- Screen lock and failed login controls
|
|
- Default account/password changes
|
|
- BIOS/UEFI passwords
|
|
- AutoRun/AutoPlay
|
|
- Unused services
|
|
- Physical device security
|
|
|
|
## Memory Trick
|
|
|
|
Use **E-P-A-L-D-S**:
|
|
|
|
- **E**ncrypt data
|
|
- **P**asswords strong and managed
|
|
- **A**ccounts limited
|
|
- **L**ock screen/login controls
|
|
- **D**isable defaults and AutoPlay
|
|
- **S**ervices reduced
|
|
|
|
Attack surface shortcut:
|
|
- **If you do not need it, disable it.**
|
|
|
|
## Data Encryption
|
|
|
|
Full-disk encryption:
|
|
- Encrypts the whole drive/volume.
|
|
- Windows example: BitLocker.
|
|
- macOS example: FileVault.
|
|
|
|
File-system encryption:
|
|
- Encrypts individual files/folders.
|
|
- Windows example: EFS on NTFS.
|
|
|
|
Removable media encryption:
|
|
- Protects USB drives.
|
|
- Windows example: BitLocker To Go.
|
|
|
|
Key backup:
|
|
- Encryption is only useful if recovery keys are protected and available.
|
|
- Lost keys can mean lost data.
|
|
|
|
## Password Controls
|
|
|
|
Password complexity:
|
|
- Mix character types.
|
|
- Avoid obvious words and reused passwords.
|
|
|
|
Password length:
|
|
- Longer is usually stronger.
|
|
- Passphrases are easier to remember and harder to brute force.
|
|
|
|
Password age/expiration:
|
|
- Controls how long passwords can be used.
|
|
- Some environments require periodic changes.
|
|
|
|
Password history:
|
|
- Prevents users from reusing recent passwords.
|
|
|
|
Default passwords:
|
|
- Change default usernames/passwords on devices, routers, apps, and admin portals.
|
|
|
|
No blank passwords:
|
|
- Always require passwords.
|
|
|
|
No automatic login:
|
|
- Do not let systems bypass authentication.
|
|
|
|
Password managers:
|
|
- Store many unique passwords in an encrypted vault.
|
|
- Enterprise password managers can support recovery and central policy.
|
|
|
|
## Account Management
|
|
|
|
Least privilege:
|
|
- Users should not run as administrators for daily work.
|
|
|
|
Groups:
|
|
- Assign permissions to groups, then add users to groups.
|
|
|
|
Disable unnecessary accounts:
|
|
- Disable guest or unused accounts.
|
|
- Disable interactive login for service accounts when possible.
|
|
|
|
Login time restrictions:
|
|
- Limit when accounts can sign in.
|
|
- Useful for contractors or temporary workers.
|
|
|
|
Account expiration:
|
|
- Automatically disable temporary accounts after a date.
|
|
|
|
Failed login lockout:
|
|
- Locks account after too many failed attempts.
|
|
- Reduces online brute force attacks.
|
|
|
|
## Locking and Physical Security
|
|
|
|
Screen lock:
|
|
- Automatically lock after inactivity.
|
|
- Require password/PIN/biometric to unlock.
|
|
|
|
Secure critical hardware:
|
|
- Use cable locks, locked rooms, asset tracking, and physical controls for laptops and sensitive devices.
|
|
|
|
Privacy screens:
|
|
- Reduce shoulder surfing.
|
|
|
|
## BIOS/UEFI Passwords
|
|
|
|
Supervisor/administrator password:
|
|
- Prevents unauthorized firmware setting changes.
|
|
|
|
User/boot password:
|
|
- Can prevent booting without credentials.
|
|
|
|
Exam clue:
|
|
- If the attacker might change boot order or firmware settings, think BIOS/UEFI password.
|
|
|
|
## AutoRun and AutoPlay
|
|
|
|
AutoRun:
|
|
- Automatically runs instructions from removable media.
|
|
- Legacy risk.
|
|
|
|
AutoPlay:
|
|
- Prompts or acts when removable media is inserted.
|
|
- Disable or restrict to reduce removable-media risk.
|
|
|
|
## Disable Unnecessary Services
|
|
|
|
Every service is potential attack surface.
|
|
|
|
Examples:
|
|
- Remote access service not used
|
|
- Old print/file sharing service
|
|
- Vendor updater no longer needed
|
|
- Unused web/database service
|
|
|
|
Rule:
|
|
- Disable only after confirming business impact.
|
|
|
|
## Commands To Enter
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
manage-bde -status
|
|
```
|
|
|
|
What it does:
|
|
- Shows BitLocker encryption status.
|
|
|
|
```powershell
|
|
net user
|
|
```
|
|
|
|
What it does:
|
|
- Lists local user accounts.
|
|
|
|
```powershell
|
|
net accounts
|
|
```
|
|
|
|
What it does:
|
|
- Shows local password and lockout policy.
|
|
|
|
```powershell
|
|
net localgroup administrators
|
|
```
|
|
|
|
What it does:
|
|
- Shows local Administrators group members.
|
|
|
|
```powershell
|
|
services.msc
|
|
```
|
|
|
|
What it does:
|
|
- Opens Services.
|
|
- Use it to inspect services. Do not disable services without knowing impact.
|
|
|
|
```powershell
|
|
ms-settings:autoplay
|
|
```
|
|
|
|
What it does:
|
|
- Opens AutoPlay settings.
|
|
|
|
```powershell
|
|
rundll32.exe user32.dll,LockWorkStation
|
|
```
|
|
|
|
What it does:
|
|
- Locks the workstation.
|
|
|
|
Linux:
|
|
|
|
```bash
|
|
id
|
|
```
|
|
|
|
What it does:
|
|
- Shows user and group identity.
|
|
|
|
```bash
|
|
sudo -l
|
|
```
|
|
|
|
What it does:
|
|
- Shows sudo privileges if allowed.
|
|
|
|
```bash
|
|
systemctl --type=service --state=running
|
|
```
|
|
|
|
What it does:
|
|
- Lists running services.
|
|
|
|
```bash
|
|
lsblk -f
|
|
```
|
|
|
|
What it does:
|
|
- Shows block devices and filesystem details.
|
|
|
|
macOS, if available:
|
|
|
|
```bash
|
|
fdesetup status
|
|
```
|
|
|
|
What it does:
|
|
- Shows FileVault encryption status.
|
|
|
|
```bash
|
|
id
|
|
groups
|
|
```
|
|
|
|
What it does:
|
|
- Shows user/group identity.
|
|
|
|
## Mini Lab
|
|
|
|
Goal:
|
|
- Inspect workstation hardening without making risky changes.
|
|
|
|
Windows:
|
|
1. Run `manage-bde -status`.
|
|
2. Run `net accounts`.
|
|
3. Run `net user`.
|
|
4. Run `net localgroup administrators`.
|
|
5. Run `services.msc`.
|
|
6. Run `ms-settings:autoplay`.
|
|
7. Lock the workstation with `rundll32.exe user32.dll,LockWorkStation` when ready.
|
|
8. Record:
|
|
- BitLocker status:
|
|
- Password lockout policy:
|
|
- Local admin members:
|
|
- AutoPlay enabled/disabled:
|
|
- One service you would research before disabling:
|
|
|
|
Linux:
|
|
1. Run `id`.
|
|
2. Run `sudo -l`.
|
|
3. Run `systemctl --type=service --state=running`.
|
|
4. Record:
|
|
- Groups:
|
|
- Sudo access:
|
|
- One running service to research:
|
|
|
|
Hardening scenario:
|
|
- A contractor leaves next Friday.
|
|
- A laptop is used in airports.
|
|
- USB drives are often plugged into shared computers.
|
|
- A workstation runs an old unused service.
|
|
- A local account still uses a vendor default password.
|
|
|
|
For each, choose the best hardening action.
|
|
|
|
## Quick Check Before Quiz
|
|
|
|
You are ready for the SEC-7 quiz when you can answer these without looking:
|
|
- What does full-disk encryption protect?
|
|
- Why change default passwords?
|
|
- Why disable unused services?
|
|
- What does account lockout prevent?
|
|
- What does AutoPlay/AutoRun risk involve?
|
|
- What should be checked before disabling a service?
|
|
|