comptia-a-plus-core2/notes/SEC-7-workstation-hardening.md

SEC-7: Workstation Hardening

Status: not started

Domain:

• 2.0 Security

Objective alignment:

• 2.7 Workstation hardening

What You Need To Know

Hardening means reducing the attack surface. On the exam, choose the setting that makes the workstation harder to misuse, steal from, or compromise.

Core hardening areas:

• Data encryption
• Password policy
• Password managers
• Account management
• Screen lock and failed login controls
• Default account/password changes
• BIOS/UEFI passwords
• AutoRun/AutoPlay
• Unused services
• Physical device security

Memory Trick

Use E-P-A-L-D-S:

• Encrypt data
• Passwords strong and managed
• Accounts limited
• Lock screen/login controls
• Disable defaults and AutoPlay
• Services reduced

Attack surface shortcut:

• If you do not need it, disable it.

Data Encryption

Full-disk encryption:

• Encrypts the whole drive/volume.
• Windows example: BitLocker.
• macOS example: FileVault.

File-system encryption:

• Encrypts individual files/folders.
• Windows example: EFS on NTFS.

Removable media encryption:

• Protects USB drives.
• Windows example: BitLocker To Go.

Key backup:

• Encryption is only useful if recovery keys are protected and available.
• Lost keys can mean lost data.

Password Controls

Password complexity:

• Mix character types.
• Avoid obvious words and reused passwords.

Password length:

• Longer is usually stronger.
• Passphrases are easier to remember and harder to brute force.

Password age/expiration:

• Controls how long passwords can be used.
• Some environments require periodic changes.

Password history:

• Prevents users from reusing recent passwords.

Default passwords:

• Change default usernames/passwords on devices, routers, apps, and admin portals.

No blank passwords:

• Always require passwords.

No automatic login:

• Do not let systems bypass authentication.

Password managers:

• Store many unique passwords in an encrypted vault.
• Enterprise password managers can support recovery and central policy.

Account Management

Least privilege:

• Users should not run as administrators for daily work.

Groups:

• Assign permissions to groups, then add users to groups.

Disable unnecessary accounts:

• Disable guest or unused accounts.
• Disable interactive login for service accounts when possible.

Login time restrictions:

• Limit when accounts can sign in.
• Useful for contractors or temporary workers.

Account expiration:

• Automatically disable temporary accounts after a date.

Failed login lockout:

• Locks account after too many failed attempts.
• Reduces online brute force attacks.

Locking and Physical Security

Screen lock:

• Automatically lock after inactivity.
• Require password/PIN/biometric to unlock.

Secure critical hardware:

• Use cable locks, locked rooms, asset tracking, and physical controls for laptops and sensitive devices.

Privacy screens:

• Reduce shoulder surfing.

BIOS/UEFI Passwords

Supervisor/administrator password:

• Prevents unauthorized firmware setting changes.

User/boot password:

• Can prevent booting without credentials.

Exam clue:

• If the attacker might change boot order or firmware settings, think BIOS/UEFI password.

AutoRun and AutoPlay

AutoRun:

• Automatically runs instructions from removable media.
• Legacy risk.

AutoPlay:

• Prompts or acts when removable media is inserted.
• Disable or restrict to reduce removable-media risk.

Disable Unnecessary Services

Every service is potential attack surface.

Examples:

• Remote access service not used
• Old print/file sharing service
• Vendor updater no longer needed
• Unused web/database service

Rule:

• Disable only after confirming business impact.

Commands To Enter

Windows:

manage-bde -status

What it does:

• Shows BitLocker encryption status.

net user

What it does:

• Lists local user accounts.

net accounts

What it does:

• Shows local password and lockout policy.

net localgroup administrators

What it does:

• Shows local Administrators group members.

services.msc

What it does:

• Opens Services.
• Use it to inspect services. Do not disable services without knowing impact.

ms-settings:autoplay

What it does:

• Opens AutoPlay settings.

rundll32.exe user32.dll,LockWorkStation

What it does:

• Locks the workstation.

Linux:

id

What it does:

• Shows user and group identity.

sudo -l

What it does:

• Shows sudo privileges if allowed.

systemctl --type=service --state=running

What it does:

• Lists running services.

lsblk -f

What it does:

• Shows block devices and filesystem details.

macOS, if available:

fdesetup status

What it does:

• Shows FileVault encryption status.

id
groups

What it does:

• Shows user/group identity.

Mini Lab

Goal:

• Inspect workstation hardening without making risky changes.

Windows:

1. Run manage-bde -status.
2. Run net accounts.
3. Run net user.
4. Run net localgroup administrators.
5. Run services.msc.
6. Run ms-settings:autoplay.
7. Lock the workstation with rundll32.exe user32.dll,LockWorkStation when ready.
8. Record:
   • BitLocker status:
   • Password lockout policy:
   • Local admin members:
   • AutoPlay enabled/disabled:
   • One service you would research before disabling:

Linux:

1. Run id.
2. Run sudo -l.
3. Run systemctl --type=service --state=running.
4. Record:
   • Groups:
   • Sudo access:
   • One running service to research:

Hardening scenario:

• A contractor leaves next Friday.
• A laptop is used in airports.
• USB drives are often plugged into shared computers.
• A workstation runs an old unused service.
• A local account still uses a vendor default password.

For each, choose the best hardening action.

Quick Check Before Quiz

You are ready for the SEC-7 quiz when you can answer these without looking:

• What does full-disk encryption protect?
• Why change default passwords?
• Why disable unused services?
• What does account lockout prevent?
• What does AutoPlay/AutoRun risk involve?
• What should be checked before disabling a service?