Learn. Certify. Succeed.

GetThatCert

CompTIA A+
CompTIA Network+
CompTIA Security+
Exam TIPS
News
Resources

2.6 Configuring a Workstation to Meet Best Practices for Security

COMPTIA A+ CORE 2 - DOMAIN 2

Cyber Wizard

person using laptop computers
person using laptop computers

This article provides an in-depth guide on securing workstations by implementing encryption, enforcing password policies, managing user accounts, and applying system security settings, as required for the CompTIA A+ exam.

CompTIA A+ Exam Domain: Domain 2.6 - Given a scenario, configure a workstation to meet best practices for security.

Data-at-Rest Encryption

Encryption protects sensitive data stored on a workstation from unauthorized access.

  • BitLocker: Full-disk encryption available in Windows Pro and Enterprise editions. Requires TPM (Trusted Platform Module) or a USB startup key.

  • BitLocker To Go: Encrypts external drives such as USB flash drives to prevent unauthorized access.

  • Encrypting File System (EFS): Encrypts specific files and folders on NTFS volumes, allowing only authorized users to decrypt them.

  • Third-party encryption tools: VeraCrypt, AxCrypt, and FileVault (macOS) provide alternative encryption solutions.

  • Hardware-based encryption: Many SSDs support built-in encryption, reducing performance impact compared to software-based encryption.

Password Best Practices

Strong password policies reduce the risk of unauthorized access due to credential theft.

Complexity Requirements

  • Minimum Length: At least 12-16 characters.

  • Composition: Must contain a mix of:

    • Uppercase and lowercase letters

    • Numbers (0-9)

    • Special characters (@, #, $, etc.)

  • Avoid common words and patterns.

  • Use passphrases for enhanced security (e.g., "MyDogLoves$ummer2023!").

Expiration Requirements

  • Rotate passwords every 90 days for critical accounts.

  • Prevent reuse of previous passwords by maintaining password history.

  • Encourage multi-factor authentication (MFA) instead of frequent password changes.

BIOS/UEFI Passwords

  • Supervisor/Admin Password: Prevents unauthorized firmware changes and BIOS modifications.

  • User Password: Required to boot the system, adding an extra security layer.

  • Drive Lock Password: Encrypts the drive at the firmware level, preventing unauthorized access if removed.

End-User Best Practices

End users play a critical role in maintaining workstation security.

Secure Workstation Usage

  • Use automatic screensaver locks to prevent unauthorized access.

  • Log off or lock the screen when stepping away from a workstation.

  • Secure laptops and mobile devices by using:

    • Cable locks in shared environments.

    • Tracking and remote wipe tools like Microsoft Intune or Apple’s Find My Mac.

Securing Personally Identifiable Information (PII) and Passwords

  • Never write down passwords or store them in plaintext.

  • Use password managers such as Bitwarden, LastPass, or KeePass to securely store credentials.

  • Encrypt sensitive documents containing PII, financial records, or proprietary business information.

  • Enable Data Loss Prevention (DLP) policies to restrict unauthorized sharing of sensitive data.

Account Management

Proper user management minimizes security risks and enforces access control.

User Access Control

  • Restrict user permissions to enforce least privilege principles.

  • Restrict login times to limit access outside business hours.

  • Disable guest accounts to prevent unauthorized workstation access.

  • Enable account lockout policies after multiple failed login attempts.

  • Implement screen timeouts to automatically lock idle workstations.

Change Default Administrator Account and Password

  • Rename the built-in Administrator account to prevent targeted attacks.

  • Assign a strong, unique password to administrative accounts.

  • Create a separate admin account for performing privileged tasks instead of using a general user account with elevated access.

System Security Configurations

Hardening system settings improves workstation resilience against malware and unauthorized access.

Disable AutoRun and AutoPlay

  • AutoRun: Prevents removable media from executing malicious scripts automatically.

    • Configure via Group Policy Editor: Computer Configuration → Administrative Templates → System → Turn off AutoRun.

  • AutoPlay: Prevents automatic execution of media upon insertion.

    • Configure via Control Panel → AutoPlay settings.

Enable Windows Defender and Firewall

  • Windows Defender Antivirus: Ensures real-time protection against malware.

  • Windows Defender Firewall: Blocks unauthorized network traffic and applications.

  • Application Control: Uses Windows Defender Application Guard to isolate untrusted applications.

Enable Security Logging and Auditing

  • Use Event Viewer (eventvwr.msc) to monitor login attempts and security incidents.

  • Enable audit policies to track unauthorized access attempts.

Keep Workstation Software Updated

  • Enable automatic updates for Windows and applications.

  • Patch vulnerabilities by regularly updating drivers and firmware.

  • Use endpoint management solutions to enforce update policies across multiple workstations.

Final Thoughts

Configuring a workstation with security best practices reduces the risk of unauthorized access, data breaches, and malware infections. The CompTIA A+ exam evaluates knowledge of encryption, password policies, account management, and system hardening techniques to prepare IT professionals for securing enterprise environments effectively.

Related Tips

Udemy Core 2 Practice Exams