Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.7. Apply workstation security options and hardening techniques. (Obj. 2.7)

šŸ’” First Principle: Hardening a workstation involves applying layers of security controls to reduce its attack surface.

A default installation of an operating system is not optimized for security; it's optimized for ease of use. Hardening is the process of methodically configuring a system to be more secure, thereby reducing its attack surface (the number of potential vulnerabilities an attacker could exploit). This is a proactive measure that should be part of the standard setup process for any new computer, especially in a corporate environment.

Key hardening techniques include:

  • Password Policies: Don't rely on users to choose strong passwords. Enforce it. Through Local Security Policy (secpol.msc) or Group Policy (in a domain), you can mandate password requirements:
    • Minimum Length: At least 8 characters, but 12-14 is much better.
    • Complexity: Require the use of uppercase letters, lowercase letters, numbers, and symbols.
    • History: Prevent users from reusing their last 5 (or more) passwords.
    • Age: Force users to change their password every 60 or 90 days.
  • Account Management: The principle of least privilege is paramount.
    • Standard vs. Administrator: Users should always run with a Standard User account for their daily work. They should only use an Administrator account when required to install software or change system settings.
    • Disable Guest Account: The built-in Guest account should always be disabled as it's a potential security risk.
    • Account Lockout: Configure a policy to automatically lock an account (e.g., for 15 minutes) after a certain number of failed login attempts (e.g., 5). This helps thwart brute-force password guessing attacks.
  • Physical and System Access:
    • Screen Lock: Configure the screen saver to require a password upon resume and set the timeout to a short interval (e.g., 10 minutes) of inactivity. This prevents unauthorized access if a user walks away from their unlocked computer.
    • Disable AutoRun: Prevent the automatic running of content from USB drives, which has historically been a major vector for malware.
    • Disable Unused Services: Every running service is a potential entry point. If a service (like remote registry or faxing) isn't needed for business purposes, disable it in the services.msc console.
  • Patch Management: The single most important hardening technique is to ensure the operating system and all installed applications are kept fully up-to-date with the latest security patches.

Technician's Action Plan: Scenario: Your company is rolling out a new "base image" for all standard employee laptops. You are tasked with creating the hardening checklist that will be applied to the master image before it is deployed.

  1. Create a Policy Document: Start a new document titled "Workstation Hardening Standard."
  2. Define Password Policy: In the document, specify that the Local Security Policy will be configured to enforce a minimum password length of 12 characters, require complexity, remember the last 10 passwords, and have a maximum age of 90 days. Also, specify an account lockout threshold of 5 invalid attempts.
  3. Define Account Configuration: State that the default user account will be a "Standard User." The built-in "Administrator" account will be renamed and given a very strong, unique password. The "Guest" account will be verified as disabled.
  4. Define System Settings: Add checklist items to:
    • Configure the screen saver to activate after 10 minutes of inactivity and require a password to unlock.
    • Disable AutoRun/AutoPlay via Group Policy.
    • Review the default list of running services and create a list of non-essential services (e.g., "Fax", "Remote Registry") to be set to "Disabled".
  5. Define Software Policy: Include a step to remove any unnecessary pre-installed software ("bloatware"). Mandate that Windows Update is configured to automatically download and install updates.
  6. Review and Deploy: Have the checklist reviewed by a senior technician or manager. Once approved, methodically apply every setting to your master machine before creating the final image for deployment.

Reflection Question: Why is disabling unused services on a workstation considered a security hardening technique?