comptia-a-plus-core2/labs/SEC-7-workstation-hardening-lab.md

# Lab SEC-7: Workstation Hardening Inspection

Domain:
- 2.0 Security

Works on:
- Windows
- Linux
- Optional macOS

## Goal

Inspect workstation hardening settings without weakening the system.

## Windows Steps

Run:

```powershell
manage-bde -status
net accounts
net user
net localgroup administrators
services.msc
ms-settings:autoplay
```

Optional, when ready to test locking:

```powershell
rundll32.exe user32.dll,LockWorkStation
```

Record:
- BitLocker status:
- Password expiration/lockout settings:
- Local users:
- Local Administrators group:
- AutoPlay setting:
- One running service to research:

Do not disable services in this lab unless you know the impact.

## Linux Steps

Run:

```bash
id
sudo -l
systemctl --type=service --state=running
lsblk -f
```

Record:
- User/group identity:
- Sudo permissions:
- One running service:
- Disk/filesystem info:

## Optional macOS Steps

Run:

```bash
fdesetup status
id
groups
```

Record:
- FileVault status:
- User/group identity:

## Scenario Matching

Choose the best hardening action:

1. A laptop is lost in an airport.
2. A shared workstation allows automatic login.
3. A router still uses admin/admin.
4. USB drives automatically open when inserted.
5. A contractor account should stop working next week.
6. A user is a local administrator but only needs standard access.
7. An unused remote service is listening on the network.

## What You Should Learn

- Hardening reduces attack surface.
- Encryption protects data at rest.
- Screen locks protect unattended devices.
- Strong passwords and lockout reduce brute force risk.
- Unused services and default accounts/passwords increase risk.