Workstation Security for CompTIA A+ 220-1102

Patching is the most impactful security action for workstations — most malware exploits known vulnerabilities with available patches. Patch types: Security patches (critical, most urgent), bug fixes, feature updates. Windows patching: Windows Update / WSUS for enterprise. Prioritize: Critical and Important severity patches — apply within 48–72 hours. Other severity: apply within scheduled maintenance windows. Third-party application patching: browsers, Java, Adobe Reader, Office are frequently targeted. Windows Update handles some drivers and Microsoft software. Third-party tools: WSUS doesn't patch non-Microsoft software. Use: PDQ Deploy, ManageEngine Patch Manager, Ivanti, or individual vendor update mechanisms. Patch testing: test patches in a lab or pilot group before deploying to production — especially OS feature updates. Rollback plan: know how to remove a patch that causes problems (Programs and Features → View installed updates).

Endpoint protection = antivirus + additional capabilities. Modern EDR (Endpoint Detection and Response): traditional antivirus detects known signatures. EDR adds behavior analysis, memory scanning, process monitoring, incident response capabilities. Examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. Windows built-in: Microsoft Defender Antivirus provides solid protection for consumer and small business. For enterprise, Defender for Endpoint adds EDR capabilities. Key endpoint protection features: Real-time scanning (scans files as they are accessed), Scheduled scans, Quarantine (isolates detected threats), Behavioral detection (catches unknown threats by behavior), Network protection (blocks malicious domains and IP addresses), Controlled Folder Access (ransomware protection). Keep definitions updated — updates should occur automatically. Set definition update frequency to at least daily.

Host-based firewall: software firewall running on the individual workstation (as opposed to network firewall at the perimeter). Windows Defender Firewall: enabled by default, should remain enabled even when behind a network firewall. Defense in depth: perimeter firewall + host firewall prevents lateral movement if one computer is compromised. Host firewall protects against threats originating on the local network (insider threats, malware on another PC). Configuration: enable for all network profiles (Domain, Private, Public). Block all inbound unless a specific rule allows. Allow exceptions only for necessary services and applications. Verify via Windows Security → Firewall & network protection. Group Policy can enforce firewall settings centrally. Linux: ufw (Uncomplicated Firewall) or iptables. macOS: System Preferences → Security & Privacy → Firewall.

Hardening reduces the attack surface of a workstation. Key hardening steps: Remove unnecessary software: every installed application is a potential attack surface. Uninstall unused programs (Control Panel → Programs and Features). Disable unnecessary services: open services.msc, disable services not needed (Remote Registry, Telnet, Print Spooler if not printing, etc.). Disable unused ports: physically or via BIOS. Disable AutoPlay/AutoRun: Control Panel → AutoPlay — prevents auto-execution of malware from USB drives. Use standard user accounts for daily work — admin only when needed. Enable screen lock: automatically lock after inactivity. Full-disk encryption (BitLocker): protects data if device is stolen. Disable unused network protocols: remove file and print sharing if not needed (SMB). Secure boot: BIOS/UEFI setting that prevents booting from unauthorized OS/media.

Security baseline: documented set of security settings that all workstations in an organization should meet. Purpose: consistency, compliance, easier auditing, and reduced attack surface. Sources: CIS Benchmarks (Center for Internet Security) — free, detailed hardening guides for Windows, macOS, Linux, browsers, servers. Microsoft Security Baselines — Group Policy settings for Windows. NIST SP 800-70 — National Checklist Program for product security checklists. Implementing baselines via Group Policy: import security templates or use Group Policy directly. Compliance scanning: tools like Microsoft Security Compliance Toolkit, OpenSCAP, Nessus audit against defined baselines. Deviation management: document exceptions to the baseline with business justification. Continuous monitoring: periodically re-assess workstations for drift from the baseline.