Security Best Practices

00:00

Hi. Welcome back to the main three. We're still looking at security in the main three and specifically in this module 3.2,

00:09

we're going to be looking at using security best practices.

00:12

So this will include password management will look at how to choose good passwords and how to enforce policies that make your users choose good passwords.

00:23

We'll also look at the concept of device heartening.

00:26

This is where your device is made, a less wonderful to attack in a variety of ways.

00:32

We're going to have a look at WiFi

00:35

and security related to wireless networks, and we're going to look at something called multi factor authentication.

00:44

So as far as possible management goes,

00:49

let's talk first about the concept off simple and complex passwords.

00:55

A simple password is considered to be one that just uses, say, lower case alphabetic characters or only uppercase alphabetic characters.

01:03

The problem with this type of password is it's very susceptible to different types of attacks to try and figure out what the parts of it is.

01:11

For example, a brute force attack just tries every possible combination of characters,

01:15

So if you have a lower case password,

01:19

then they just try every possible combination of lower case characters.

01:23

A dictionary attack, on the other hand, is based on trying words in the dictionary.

01:30

So therefore,

01:30

you should not be using passwords, which are made up of words in the English language, for example, words that I found in the dictionary.

01:40

A complex password is one that uses a mixture off lower case characters, uppercase characters, numbers and non alphanumeric characters, such as an exclamation point, a period of bracket and so on.

01:57

Also, the other alternative, if you don't like complex passwords that can be hard to remember, is to use very long passwords.

02:06

Now you might think a very long password is going also going to be hard to remember. But remember, you can choose a phrase.

02:13

So, for example, your password could be my very, very, very long password.

02:19

And to make it a bit more complex, you could, for example, make one of the letters in the middle of a word like the O. In long. You could make that up a case,

02:28

and that kind of password is also extremely difficult to crack because it's very long

02:32

and it takes a long time to cycle through all possible combinations of a very long password.

02:42

Now, how quickly can your past would be attacked? So here's an interesting website that I often use during my courses when I'm demonstrating this.

02:50

So here what this does is it makes the following assumption.

02:53

It assumes that somebody

02:57

is able to try a 1,000,000 parcels of Second. Now there are automated tools that can try that. And so if someone is trying a 1,000,000 parts with second

03:08

Hollywood, it take them to cycle through all possible combinations.

03:13

So let's start off. By doing this.

03:15

We're going to enter a five character, lower case password.

03:22

Now, if you look at this, it's telling me the following.

03:24

It's saying,

03:25

If

03:28

a 1,000,000 parts of try it

03:30

and your password was lower case five characters,

03:34

it would take just over 11 seconds to cycle through all possible combinations off five characters. Lower case.

03:43

Now let's change it slightly.

03:46

So now I'm going to add a number.

03:51

It's already my password is starting to get complex. It is six characters long now, and one of those characters There's a number, and you can see that the time taken to cycle through all possible combinations has now jumped to over 2000 seconds.

04:09

Now let's other non alphanumeric character about it. The hash character that.

04:14

And now we see that to cycle through all possible combinations off seven characters, which includes lower case letters, numbers and no, no, not alphanumeric characters. It would take over 86 days to cycle through all possible combinations,

04:31

and that's if you were able to try a 1,000,000 a second.

04:34

Finally,

04:36

let's do this. Let's add an uppercase character.

04:40

So now this is truly a complex password. It has lower case up a case. Numbers are no not know alpha numeric characters. And now you can see it would take 210 years

04:51

trying a 1,000,000 passwords a second

04:55

to cycle through all possible combinations in order to try and figure out what your password is.

05:00

So there, you know you can see the benefits off longer passwords and complex passwords as far as keeping them secure from hacking attempts where people are trying to guess your password, that is brute force attacks.

05:18

Let's talk about default passwords

05:21

so some systems have default passwords. For example, your home router that connects you to the Internet.

05:30

It probably came with the default administrator account and password.

05:33

You should always change these passwords because if somebody is trying to attack your network from the Internet

05:42

and they can see your home router,

05:45

one of the first thing they're going to try is to log on with the default. I've been account.

05:49

And if you have not changed the default password,

05:53

they probably will get in extremely quickly. And remember, one second log into your home router. As an administrator, they can remove all the security that there is in place to protect you from the Internet.

06:06

What else? Password expiration

06:10

So possible. Expiration policy regularly requires users to choose a new password

06:15

in Windows by default. The password expiration is 42 days.

06:20

This is called a set. The setting is called Maximum Parts What Age?

06:25

So with this

06:27

every 42 days, users are prompted to choose a new password.

06:31

Now, why do we want to do that

06:33

for a couple of reasons? Firstly, it reduces the amount of time

06:39

in which a hacker can try and figure out your password. If you're changing it every 42 days, for example,

06:45

they only have 42 days to try and figure out what your part so it is

06:48

on.

06:49

If they have actually figured out what your past, what is this, then reduces the time window in which they can use that.

06:57

So

06:58

let's say they figure out your password 20 days after you just changed your password.

07:02

Well, okay, so they've got your password, and they can try and log in to the network using that,

07:08

but only for another 22 days. Because at that point you'll be prompted. You will choose a new password, and they no longer know what your password is.

07:18

This is configured through a setting cold password history, which will have a look at in a moment.

07:27

Now let's look at how we can enforce the password settings that we want on our users

07:33

In Windows, there is something called the local security policy of the computer.

07:40

Now, just bear in mind this if you are part of a Windows domain, which allows for centralized management, and that's typically the case in a corporate network,

07:47

these settings are controlled centrally,

07:50

but at home, where you don't have a Windows domain established. Each individual computer has its own security policy,

07:58

so within the security policy, you will find password policy.

08:01

So let's have a look at some of the settings you can configure.

08:07

Firstly, enforce password history.

08:11

When a user chooses a new password, she's not allowed to choose one that has been used. The last X number of Times X is a value that you set. So if you said it to 10 for example,

08:22

then every time a user changes her password, she cannot use one of the last 10 that she had. It's used. In other words, Windows remembers the last 10 passwords that that user has used.

08:37

Maximum pass what age? This is how frequently passwords expire.

08:41

So by default in windows, this is set to 42 days, after which you are promptly to choose a new password.

08:52

Minimum pulse. What age?

08:54

This indicates the number of days you have to wait before you can change your password after you change it.

09:00

In other words, if I changed my password today,

09:03

can I change it again and again and again? Or do I have to wait a day or do I have to wait 10 days and so on?

09:11

So why have a minimum password age well, its main purpose is to prevent people circumventing the password history setting.

09:20

Remember, Password History says. For example, when you change your password, you cannot change it back to one that you've used say the last 10 times.

09:28

Well, a clever user could do this.

09:31

When it's time to change her password, she could say, OK, I want to go back to my favorite password, but it won't let me.

09:37

So what I'm gonna do is change my password 10 times immediately, one after the other.

09:41

And then once you've gone through 10 different passwords, she can go back to her favorite password.

09:48

This setting prevents that because with this setting, say, set the one day,

09:52

what happens if she changes her password?

09:54

Then she has to wait a least a day before she can change it again.

09:58

She would have to change her password every day for 10 days before she could get back to her favorite password.

10:09

The minimum length of the password can be set,

10:13

so this simply does what it says. Really says your password must be this many characters. Long,

10:18

Um, just be aware that you considered to zero, and if you said it to zero. That means the accounts are used to all I have are allowed to have blank passwords, which is, of course, a huge security issue if passwords are not required for user's to log in.

10:39

And what about making sure users do choose? Complex passwords are not simple passwords

10:45

as we saw it, the previous section Simple passwords are relatively easy to crack,

10:50

so there is a setting called password must Meet complexity requirements. Now what this actually requires in Windows is that you haven't least three off the

11:00

following four,

11:01

um, things within your password.

11:03

You must have lower case characters and uppercase characters. Numbers. No, nothing dramatic characters. So there's four different types of characters, but you have to have three of those four within your password

11:20

related to password policy is account lockout policy. So let's have a look at this.

11:26

The idea behind account lockout, which, as you can see, is also configured in the local security policy of the machine.

11:33

I can't look at policy, says this. If there are a certain number of failed log on attempts within a certain amount of time, the account becomes locked,

11:43

and this effectively blocks brute force attacks because, remember when we looked at that website, we saw that

11:48

if you are able to try a 1,000,000 password the second,

11:52

how quickly you could cycle through all possible combinations about five character password.

11:58

But what if we slowed you down instead of being able to try 1,000,000 a second?

12:01

What if he said, you could only try five passwords every 30 minutes?

12:05

Well, then it would take you probably till the end of time to cycle through all possible combinations.

12:11

So that's what I can't lock out policies about. So let's have a look at it settings.

12:16

Firstly, you can indicate how many invalid log on attempts will actually trigger the lockout. So this case, it's set to five bales log on attempts.

12:26

But you can also say this

12:28

those five attempts have to have happened within 30 minutes in order for the account to become locked.

12:33

In other words, if you miss, type your parcel today and then miss, type it again tomorrow 24 hours later.

12:41

That does not trigger the lockout policy. It's when there are five bed log on attempts within 30 minutes that the lockout policy is triggered,

12:50

and then the lockout duration

12:54

in most organizations, they will set that to something like 30 minutes to say. Okay, fine. Account becomes locked. It will automatically unlock itself after this amount of time.

13:03

If you change this setting to zero, it doesn't quite have the meaning. You might think it doesn't mean that the lockout duration is zero. It means the account lockout becomes indefinite, That is, until an administrator goes into unlock it.

13:18

The idea here is the administrator can investigate why the account became locked where there's something innocent like the use of forgetting her password?

13:26

Or was it something more insidious, like somebody else was trying to log into her account

13:35

the concept of single sign on

13:37

in early computer networks. Every computer had its own set of user accounts. Now that was true, for example, of Novell Netware.

13:46

When I first learned networking, we used to use novel netware on the service and in the early versions of Netware, every server required its own set of user accounts. So if I need a user to be able to log on it, several different servers I had to create an account for them on each of the service,

14:03

and you can imagine. As your network grows and you end up possibly with hundreds of servers, this becomes a real chore.

14:09

So

14:11

what happened is Microsoft released

14:13

the concept of Windows domains.

14:16

A Windows domain is a collection of users and computers that are managed centrally.

14:22

A domain user account allows the user to log on from virtually any computer in the domain and to access. Resource is on other computers, but without having to log on again and again and again.

14:33

Essentially, when you log on your logging onto the entire domain

14:37

and the Windows domain can include, you know, just a handful of computers five or six

14:41

or it could contain hundreds or even thousands of computers.

14:48

So this makes

14:48

logging onto the network really easy.

14:52

You log on once using your domain account, and then you can potentially access anything on the network that you have permissions fault.

15:01

This single sign on concept is also being tried on the Internet.

15:03

Currently, organizations that are big on the Internet, such as Facebook and Google and Microsoft

15:11

are trying to become the default identity provider for the Internet. In other words, they wanted to be so that when you go into the Internet.

15:18

You use your

15:20

Facebook or your Google account to log in at every Web site, and you might have seen this some websites. When you go to them these days,

15:28

they are ever ask you to create an account

15:31

or to use your Google account or your Facebook account.

15:33

And in that way,

15:35

they're not doing the authentication themselves when you lock in.

15:39

They passed that on Outsource it if you like to one of these big providers, like Facebook or Google,

15:46

so they become the identity provider for that website.

15:50

The problem where they say's. Although it's highly convenient that a single account logs onto multiple websites,

15:58

it's also highly dangerous.

16:00

Imagine what would happen if somebody discovered your log on credentials.

16:04

Now they can log in not just to one website, but maybe tens, maybe hundreds of websites across the Internet using that account.

16:12

So once again, this convenience comes at the cost of security.

16:19

Now let's look at the concept of device hardening

16:25

without refers to his locking down computing devices to reduce the attack surface.

16:30

We'll talk about that concept and then how it's implemented.

16:34

So what is reducing the attack surface that means removing or reducing the number of ways somebody could attack your computer.

16:42

If you have lots of things installed, lots of service is running, lots of applications running and so on.

16:48

An attacker could try and compromise any one of those, and if they can successfully attack it, they may be able to gain access to your computer,

16:56

so reducing the attack surface means removing everything that is unnecessary from a system.

17:03

For example, you can disable unused features.

17:07

Think about a smartphone or tablet.

17:08

It can not only connect WiFi, but it can also connect. Using Bluetooth on it can connect using an FC.

17:15

But if you have no use for Bluetooth or NFC, why not disabled out within the device?

17:21

Similarly, operating systems come with lots of additional features on many of these you may not need, so you could disable those.

17:29

You could also remove any unnecessary applications. I, for example, end up accumulating lots of applications because I'm testing them or trying them out and so on

17:38

on. So periodically, I go through and remove all the applications that I no longer need or maybe even never use.

17:45

Also, within operating systems, you can disable unneeded service is that run in the operating system.

17:52

For example, in Windows, there is a file and printer sharing service.

17:56

Now what this allows you to do is to share folders on your computers or other users, connect system

18:02

and share printers so other users on the network and access your printers.

18:07

But if you have no need to do that, why not disabled the service?

18:15

Another security feature worth implement thing is automatic. Lock out so that if you are, for example, not using your computer for a certain amount of time, let's say five minutes or so.

18:26

Then it locks itself,

18:27

and in order to unlock it, you have to sit down and logging and provide your credentials again.

18:33

You could also configure screen savers that will kick in automatically if you're not using your computer first, a certain amount of time. In that case, you could always require that to come out of the screen saver and get back to your desktop,

18:48

you have to enter your password again.

18:52

Why do we want to do this? We want to prevent a type of attack known that sometimes there's a coffee break attack or a lunchtime attack

19:00

This is where you have logged in

19:02

and you leave yourself logged in as you go off to have a coffee or have lunch.

19:06

Anybody walking past your desk sees that you're logged in. They could just sit down and start using your computer,

19:14

and since you're logged in, they can access all your files.

19:18

So that's not something we want to happen

19:19

to see happening.

19:25

Another security feature you should implement is the host fireball,

19:29

so a firewall is a piece of hardware or software that monitors all network traffic

19:34

passing in and out off a computer.

19:37

It will block certain types of connection attempts if, unless they have bean explicitly allowed.

19:45

Both Windows and OSX have built in firewalls.

19:49

Host firewalls can help to prevent malicious software spreading from device to device around the network.

19:56

There is a type of malware, for example, called a worm.

20:00

And if you get infected by a world,

20:02

one of the things that does is tries to replicate itself across the network to other computers on the network,

20:07

and a firewall could effectively prevent that.

20:12

Let's have a look at configuring the Windows firewall

20:15

to get to the interface to manage it you can click on the start button and then type firewall

20:23

that that you'll see there are two options. There is a simple interface, which is just called Windows Firewall.

20:30

And then there's Windows Firewall with Advanced Security.

20:33

So they're both different interfaces to the same tool.

20:37

One is a simplified interface. The other is a much more advanced into face. So for network administrators, the advanced interface is useful for configuring more complex policies for the firewall.

20:53

So here I am, clicking on Start and then typing in firewall.

20:59

So you see on the menu there's Windows Firewall, the Simpler Interface and Windows firewall with Advanced Security.

21:06

If we look at the simple interface tells me what kind of network I'm connected to,

21:11

and on the left hand side, we have some links.

21:15

So this one allows me to turn the firewall on or off for different types of networks, for private and for public networks.

21:25

And then this setting allows me to configure which programs are allowed to communicate

21:32

through the firewall to the network.

21:34

And then there's the advanced interface in here, administrators Congar Oh, in and they can run a wizard that creates rules that allow or block certain types of network traffic.

21:56

Another thing you should have running on your computer is anti malware software. Now this is more commonly just known as anti virus. Remember, our virus is just one type of malicious software, so malware is a catchall term, referring all types of malicious software, including viruses.

22:15

Windows Defender

22:15

is a free anti malware program that comes with Windows,

22:19

and,

22:21

oh, it's X has X protect.

22:26

You can also get third party anti malware software from companies like Symantec and McAfee.

22:34

One important point about anti malware software is it needs to be kept updated.

22:40

There is something called virus definition file, which is periodically downloaded by the anti malware software,

22:47

and that anti virus definition file describes what different types of malicious software look like. So all the latest malware that's being found

22:56

and how it's you can spot it and how you remove it

23:00

all that information is in the definition files.

23:03

The most anti malware software's configured that before he does a scan of your computer and download the latest anti violence definition files.

23:15

The other important point is this.

23:18

Keep your system patched with the later security patches issued by the operating system Brenda.

23:23

Both Microsoft and Apple

23:26

periodically released patches for their system, which fix

23:32

either existing security issues that have been identified

23:36

or protects you against new types of attacks that have recently become a parent.

23:45

So let's watch an anti malware program at work.

23:52

What is it going to do?

23:55

Well, as you will see, it's going to monitor

23:56

what I'm downloading from the Internet.

24:02

It will scan any execute herbal if I try to run it.

24:07

You can also set up a schedule, in which case the anti malware program scans your hard drive looking for any malicious software that might have made it onto the hard drive.

24:21

And you can also configure them generally to scan any external storage you plug into the computer, such as a USB thumb drive.

24:32

These types of programs will typically they find something that looks suspicious that could be militias. They will typically quarantine it,

24:40

and we'll have a look at quarantining a swell.

24:42

So let's have a look at all of this in action

24:48

now. Here I'm trying to download a malicious program

24:52

and you'll see how persistent the anti virus is.

24:56

The first thing is it pops up a warning in the browser itself says, Hey, this is a dangerous file don't downloaded.

25:03

But I say I'm gonna done noted anyway,

25:07

So the file is now being downloaded on Dhe. I can go and see the folder that it's downloaded, too,

25:12

and drag it and copy it onto my desktop.

25:22

Now I'm going to try to run it,

25:25

so I right click it and immediately I'm warned again, this is a malicious file,

25:30

and I could click on Maur Info to find out more information about it.

25:34

And then I can click a link that says,

25:37

I don't care. I want to run it anyway.

25:40

But instead of running it,

25:42

the anti virus program quarantines it.

25:47

Bye quarantining up file. It is preventing it from running.

25:52

So now I have to open up the anti bias application

26:00

and go find within its settings where quarantined files are listed.

26:06

And there it is.

26:07

If I unquantifiable

26:10

it now gets put back onto the desktop

26:14

while we're here. Let's have a look at the settings available for an anti virus program.

26:18

This is where I can configure automatic updating of the anti virus definition files and where I can schedule scans to run it regular intervals.

26:33

Another layer of security, you can add, is to encrypt your files.

26:38

So actually, in Windows, at least the business versions encryption is built in that is in Windows Professional or Windows Enterprise editions.

26:48

So

26:49

all you have to do in those cases to encrypt a file is this. You right, Click on the file and you go to its properties,

26:57

and then you click on the advanced button

27:00

in the Advanced Attributes dialogue box that you see here. There's a check box, which simply says, encrypt the contents to secure the data,

27:10

and then you click. Okay.

27:11

At that point, the file is encrypted before it's written to disk

27:15

only authorized users, that is, meet the person who encrypted it, or somebody else that I specify

27:22

cannot decrypt and read the file.

27:23

So, for example, if somebody steals your hard disk,

27:26

they'll have a hard time actually began to read any of the documents because there will be encrypted, and without the decryption key that is required,

27:36

they cannot decrypt the files and read their contents.

27:41

You can go one step beyond that and encrypt an entire volume, like so your entire. See, Dr.

27:47

This is a feature called Bit Locker that again is built into Windows but in this case only into the Enterprise edition off Windows.

27:55

And this is called whole volume encryption. Sometimes people mistakenly call it whole disk encryption.

28:02

It's not actually encrypting the entire drive. It's encrypting individual partitions or volume's within the drive.

28:08

Typically, whole disk encryption is implemented through hard way, not through the operating system

28:15

anyway. So this is whole volume encryption now. What if you don't have the Enterprise edition of Windows?

28:22

Well, there are third party encryption programs around.

28:26

There are both open source programs, like Vera Crypt,

28:30

And then there are paid programs like Axe Script.

28:33

So Axe Script is one of these where basic features are available for free. But then they have premium features for which you have to pay.

28:42

What about security for your wireless network? Well, there's two aspects to this one is

28:48

public WiFi hot spots. So, for example, if you go to Starbucks or McDonald's and you connect to their WiFi,

28:56

what's going on? Well, typically, these open WiFi networks don't do any kind of authentication, so you have no idea who's actually connected to that network

29:06

and they don't encrypt your network traffic. So all the data that you're sending and receiving across

29:12

across that connection

29:15

is actually traveling in plain text through the air.

29:18

So if you are going to use thes public WiFi hot spots, it's a good idea only to connect to secure websites. That is websites where the u. R l is http s rather than http.

29:32

And if you have to connect to some remote computers like, say, a work and network or a work of BP and server,

29:40

make sure you use VPN protocols that encrypt the connection.

29:47

And then what about your home networks or corporate networks? Well, if you're going to use WiFi, you should enable security

29:55

in domain. Four. We will look at the security available for WiFi, but essentially these days it's a matter of choosing between W P. A or W P. A tube.

30:04

There is an older standard called weap,

30:07

which you should not use because it is not secure.

30:15

Now let's look at the different ways off providing authentication,

30:22

so authentication refers to how we verify the identity of a user

30:29

so somebody tries to log on. They claim to be Fred.

30:32

How do we verify that? It's really friend.

30:34

We need them to prove their identity of some weight.

30:40

Most common way we do that was simply require users to also enter their password,

30:45

so they need to know what they use the name is and type that in,

30:48

and then they need to know what their password is and type that in.

30:52

And that is really the simplest way to verify the identity or a user. And that's called authentication.

31:03

So any system that contains any sensitive information should require authentication.

31:10

Sometimes, for example, people don't set up with indication for their smart phones because they want their phones to be easy to use. You just pick it up and start using it.

31:18

If you set up authentication, you might be required to enter a pin or draw pattern on the screen. Or use your thumb print something like that.

31:27

So there you know again, the convenience of using it

31:32

means you lower the security because if you don't have any authentication configured,

31:37

if you lose your phone or somebody steals it,

31:40

they can now just start using it and potentially if you have stored the past words for things like websites on that smartphone. They cannot connect to anything that you normally connected from that smartphone.

31:56

Now let's talk about authentication factors

32:00

on authentication. Factor refers to the different methods we can use for authentication.

32:05

For example,

32:07

the fact that could be something you know

32:09

for examples of this would be the user name or the password or the pin that you have to type in.

32:15

All of those are things you know, and you could be required to provide those to prove your identity to authenticate yourself.

32:24

But what about something you are?

32:28

This refers to biometrics. That is something about your body.

32:31

So, for example, your fingerprint could be used to authenticate you, or facial recognition, where the operating system scans your face and sees if it recognizes it,

32:43

or iris scanning where your eyes are scanned.

32:45

Apparently, people's irises

32:49

within their eyes are as unique as fingerprints off.

32:52

And then there's something you have,

32:54

so you could be required to log in by inserting your smart card into a reader or reading a one time password from a token token of the small Elektronik device with a screen

33:07

or your smartphone.

33:09

So, for example, you might go to a website

33:13

and say I forgot my password.

33:15

So what they do is maybe send you a link where you can reset your password.

33:20

But they also

33:21

send a one time code to your smartphone

33:24

so you not only have to know the user's email address, but you also have to have access to their smartphone in order to complete that process.

33:32

And so the smartphone is being used as proof of something you have, which proves who you are

33:44

Now. The safest way of doing authentication is to combine all those different factors.

33:47

It's a multi factor. Authentication refers to combining two or more factors. For example,

33:54

how about combining something you have with something you know?

33:58

So if you were required to insert your smart card, that's something you have,

34:02

and then enter your pin.

34:04

That would be something you know,

34:07

or what about something you are and something you know.

34:10

So you scan your fingerprint and then you enter your password or a pin,

34:15

so your fingerprint is something you are,

34:17

and the password or pin is something you know.

34:23

Just be careful about this because multiple uses off. The same factor is not considered multi factor authentication,

34:31

for example, you could be required to enter your username.

34:35

That's one thing

34:36

and your password. That's another thing. And your pin. That's the third thing.

34:40

But the problem is, all three things are something you know. They're all the same factor,

34:45

so that would not be considered multi factor authentication

34:57

types of accounts.

34:59

Operating systems have

35:00

all have an administrator account that is configured automatically during installation

35:06

in Windows that account this cold administrator

35:10

in Linux systems and our ***.

35:14

That account is called route

35:16

Now. Here's the problem with administrator accounts.

35:21

These are all powerful.

35:22

They cannot be prevented from accessing anything or changing any setting.

35:28

So, for example, even if

35:30

an administrator tries to access a file and the operating system says access denied because the permissions are not set to allow the administrative to access it,

35:39

here's what the administrator can do.

35:42

They can go and reset the permissions, giving themselves full access, and then they can access the file

35:47

so administrator accounts are very dangerous in that way.

35:52

Then there are standard user accounts, so most user accounts you create should be configured a standard user accounts they don't have all the administrative rights that the administrator account does, so they have very limited privileges.

36:08

Most operating systems also have a guest account.

36:12

So there is a guest accounting windows Onda guest, accounting of its ***.

36:16

Typically, this account is disabled by default and has very limited rights on that system.

36:23

You should give it a password as well just to make sure that random people can't log on its guest.

36:31

So why would you use it? Well, you can enable it to allow occasional or temporary access to your computer.

36:37

Imagine that some friends have come over and they want to log on to your machine and look for something on the Internet.

36:45

Well, one thing you could do is tell them what your user name and password is, in which case they log in

36:51

and they now have access to all your stuff, all your documents and so on. And they could accidentally not necessarily maliciously. But they got accidentally delete some of those files which they'll be able to do because they're logged on his U.

37:04

So what you do is you tell them to log on using the guest account

37:08

in OS X, the guest account automatically deletes everything they do when the guest account logs off.

37:15

Windows doesn't quite do that,

37:17

although it has a guest account and you could enable it and use us can log on its guest.

37:22

It does create a profile for the guest account, and it remembers what that account did rather than deleting everything when the user logs off.

37:35

So here are some best practices related to accounts

37:37

most user can't you create should be configured as standard users, not as administrators.

37:45

You should, in fact, only really have one administrator account because the more you have, the more possibility there is that somebody discovers one of the passwords for one of the administrator accounts.

37:55

You should also rename it in Windows, for example. The default name for the administrator account is administrator,

38:02

and you should give it a complex password

38:06

or, better yet, require multi factor authentication. When looking on this administrator,

38:12

it's also note that it is dangerous to carry out normal activities while logged on. It's an administrator,

38:17

for example, if your computer is infected with a virus,

38:22

if you log on his administrator, the virus runs and inherits your credentials

38:27

so that a virus now has full administrative rights on your machine and can do anything it wants

38:32

or

38:34

think about this. You've locked on his administrator, and then you use your browser to go to some website on the Internet.

38:42

So happens that's a malicious website, and it downloads a malicious program to your machine.

38:46

That program now inherit your administrative credentials and runs with full privileges.

38:52

So this is why you know Microsoft and other vendors recommend that you

38:58

never log on its administrator unless there's something you're doing that really requires administrative credentials.

39:07

And the guest account, which is disabled by default, should be enabled only if needed and should not be given additional privileges.

39:15

So the Summer Eyes module 3.2

39:20

Security Best practices

39:22

Here's what we looked at. We looked at how to choose good passwords that is longer and more complex passwords.

39:30

We also saw how in Windows you can enforce the password settings on your users.

39:36

We looked at the concept of device hardening.

39:37

This is locking down the system by removing all unnecessary features,

39:43

um, that are often installed by default within operating systems.

39:47

Disabling any unnecessary service is

39:51

and

39:52

disabling any types of communication. You don't need to use such as Blue, too.

39:57

We looked at some of the dangers of using WiFi without good security, particularly when connecting to public hot spots.

40:05

And we looked at the concept of single factor. Add multi factor authentication