Day 6. User Access, Device Security, and Data Disposal

Objective 3.4: Given a scenario, deploy and enforce security best practices to secure a workstation.

Objective 3.5: Compare and contrast various methods for securing mobile devices.

Objective 3.6: Given a scenario, use appropriate data destruction and disposal methods.

Administrator—This account has access to everything on the computer. The administrator can create users and change passwords.

Power user—This account type has some of the power of the administrator to handle some of the tasks of the administrator. To become a power user, a standard user is placed into the power user group.

Guest—The guest account has very limited access to files and folders. Also, the guest account cannot install hardware or software or change passwords.

Standard user—This is a regular user account. The standard user has access to his own data but is not able to access the data of other users. By default, the standard user cannot perform administrative tasks.

To limit access to files and folders, permissions are granted to users and groups. There are two different types of permissions:

Share permissions—These permissions are configured in the Sharing tab of a file’s or folder’s properties window. Share permissions have three levels: full control, change, and read.

NTFS permissions—These permissions are configured in the Security tab of a file’s or folder’s properties window, as shown in Figure 6-1. New Technology File System (NTFS) permissions have seven types: full control, modify, read and execute, list folder contents, read, write, and special permissions. The list folder contents permission is only available for folders. These permissions override any share permissions that have been configured.

Figure 6-1 NTFS Permissions

Each share and NTFS permission can be configured to allow or deny a user or group. When a user or group has not been configured as being allowed or denied a permission, they will not have access. If they are in a group that has access to the same resource, their effective permission will allow them access. To ensure a user or group does not have access to a specific resource, they must be denied explicitly.

File and folder permissions can change when they are moved or copied. Depending on the action, there is a different outcome:

Data is moved to the same volume—It will keep the original permissions.

Data is copied to the same volume—It will inherit new permissions.

Data is moved to a different volume—It will inherit new permissions.

Data is copied to a different volume—It will inherit new permissions.

Sharing files and folders allows other users to access them. They can be accessed from the local computer or on the network. Local shares are standard shares used by standard users. In addition, hidden administrative shares exist that cannot be seen by standard users. Administrative shares can be identified by the dollar sign ($) at the end of the share’s name—for example, C$.

When a folder is created, by default, it inherits the permissions of the folder in which it is created. It is possible to change all the permissions for folders and files within those folders by changing the permissions of the parent folder. This is known as permission propagation. Permissions for objects can be found in the Advanced Security Settings window, as shown in Figure 6-2.

Figure 6-2 Advanced Security Settings Window

To protect the operating system, some system files and folders are hidden from users. The setting can be changed so that the files and folders are visible, but in most cases this is not necessary. The setting can be changed in the View tab of the Folder Options Control Panel app.

Users often forget passwords. Many times, security policy dictates a lockout period when a certain number of incorrect passwords are entered. This is especially prevalent when a user has many different passwords for multiple computers. Single sign-on (SSO) can be set up to help prevent this problem. With SSO, a user has only one password that works on all the computers to which the user needs to access.

Some of the programs and commands in Windows cannot be executed by a standard user. They must be run as an administrator. This can be accomplished in the GUI through the right-click menu. For commands, a command prompt must be opened as an administrator to run the commands as one. When a program or command is executed this way, it is also known as elevated privileges.

File and folder permissions prevent access but can be circumvented. To secure files and folders completely, Windows has a feature called Encrypting File System (EFS). EFS encrypts and decrypts on the fly to allow authorized users to make edits and changes securely. EFS files are normally shown as green in the Windows/File Explorer.

EFS is a good way to protect files and folders. To protect an entire drive, special software must be used. BitLocker encrypts an entire drive, but the drive suffers some in performance. BitLocker is transparent to the user while it is in use. To use BitLocker, the computer must have either a Trusted Platform Module (TPM) or a USB drive to store the encryption keys. To encrypt removable drives, use BitLocker-To-Go.

Requiring passwords—Security policy must require the use of passwords for all computer users.

Changing default usernames and passwords—Default usernames and passwords must be changed immediately. Default items are known by everyone, so they are a security risk.

Setting strong passwords—Require a password of at least eight characters with a combination of upper- and lowercase letters, numbers, and symbols. Weak passwords can be easily guessed or cracked.

Password expiration—Passwords should expire to further prevent them from being discovered or cracked by an attacker.

Screensaver required password—When the screensaver starts, the user is most likely away from her computer. Upon return, she should be required to enter her password to resume operation.

Figure 6-3 Local Security Policy

Not only is it important to use passwords for the OS and follow security best practices, but it is also important to use BIOS or UEFI passwords as well. When an attacker can modify these settings, she can, for example, boot the computer using a USB drive of her own that contains malware. She could infect the computer or network or take over the computer.

Additional best practices must be followed to secure the computer. These are some account management best practices that should be implemented:

Disable autorun—This option should be disabled to prevent an attacker from automatically starting a program stored on, for example, a USB drive.

Disabling guest account—This account allows someone without an account to log on to the computer as a guest. This is a security risk.

Login time restrictions—This prevents users from utilizing computers during certain times, like a holiday; this ensures that no unauthorized users can log in either.

Failed attempts lockout—This option prevents an attacker from attempting to guess a password too many times.

Timeout/screen lock—If the computer is not in use, it should be locked automatically. This option should be used with the screensaver password option.

Restricting user permissions—Only give users access to the resources they need. Start with no permissions and add them until they have everything they need. This prevents users from inadvertently accessing the wrong resources.

Data encryption—Always require users to encrypt important or private data. A good practice is to encrypt entire drives.

Patch/update management—Security policy must include rules for patching the OS and updating software. This is especially important for malware detection and removal software.

Swipe lock—This lock only prevents shoulder surfing. This is not a secure lock unless a pattern is offered as an option. The longer and more complicated the swipe, the more secure the lock.

Passcode lock—This can be a pin or a traditional password. As with the swipe lock, the longer and more complicated it is, the more secure the lock.

Fingerprint lock—This type of lock scans a user’s fingerprint and compares it with recorded scans to determine whether the user should be provided access. Usually, when a fingerprint lock fails a few times, security will fall back to a passcode lock.

Face lock—This is another type of biometric lock that relies on the camera to recognize the user by the features of his face. Like a fingerprint lock, failure of the face lock should fall back to a passcode lock.

Like a computer, one or more of these screen locks can be used together. Multifactor authentication is exponentially more secure than single-factor authentication.

To store multiple sets of credentials for apps, websites, and so on, authenticator applications can be used. They can be set to automatically enter different credentials for different apps, sites, or connections through the use of a single, secure password.

In the event of theft, the screen locks offer the first line of defense. If the thief tries to unlock the device, he will be met with failed login attempt restrictions. After too many guesses have occurred, the device will prevent additional guesses for a set period of time. If this behavior continues, if configured, the device will perform a remote wipe. All data will be deleted from the device, securing all data.

This can seem like a drastic measure, but it does keep all your data secure. Always make a backup of important data either to your local computer or to a cloud service through the use of remote backup.

Mobile devices also are capable of broadcasting their location. Locator applications can be installed and configured so that a user can easily find a lost or stolen device. Of course, the device must be connected to a network to send its location back to be displayed by the website or other device being used to locate it.

Many of the same methods for protecting computers and laptops apply to protect mobile devices:

Install antivirus and anti-malware applications.

Patch the OS when updates are available.

Encrypt the entire device to protect all data.

Download updates and apps only from trusted sources.

Use a firewall to protect against network attacks.

Regardless of the device used, policies and procedures must be followed to help keep devices and the network secure. Before mobile devices, many organizations had full control over all their devices. Recently, the Bring Your Own Device (BYOD) policy has become more common. With BYOD, users are able to use their own devices in the organization and on the network. They are kept secure through central administration. Different levels of control are used to protect any company data.

To help administer policy and provide control over BYOD assets, many organizations implement profile security requirements. The profile is a file that describes a type of user or device. It contains security settings and other configuration information for the BYOD assets. These profiles can be applied to a user, a group, or the devices themselves.

Shredder—This applies to paper because it is a data storage device. Always shred documents or hire a secure shredding service. Optical media can also be shredded.

Incineration—Paper can be burned instead of or after shredding, and drives can be melted down.

Drill—A drive that has been filled with holes from a drill is unreadable.

Hammer—Like a drill, a hammer can destroy a drive and prevent it from being read.

Electromagnetic (degaussing)—For a hard disk drive, this method completely destroys all data on the magnetic platters.

Because of the sensitive nature of the data stored on data drives, some organizations implement a policy where they require a certificate of destruction as proof that the device has been completely destroyed. This certificate is provided by a secure facility that performs the service.

When a data storage device is in good condition, it can be recycled for use by the organization or someone else. If it will be used by someone else, the data must be removed and unrecoverable. The three ways to remove the data from the drive are as follows:

Format—A regular format using the OS will not remove all data from the drive. A low-level format must be performed using third-party software, or in some cases, using the BIOS/UEFI. The low-level format writes zeros to the entire drive.

Overwrite—This method writes over the data on the drive one or more times using random bits or a pattern of bits.

Drive wipe—This will not only overwrite the data on the drive, but also will wipe all the empty space that may have files that have been deleted but not overwritten.