Changing the default administrator passwords to unique, complex passwords for each workstation is crucial for enhancing system security. Default passwords are widely known and pose a significant risk if not changed, as they can easily be used by unauthorized individuals to gain privileged access.

Setting workstations to automatically lock after a period of inactivity, such as 5 minutes, is an effective way to ensure that they are not left unattended and unlocked. This practice reduces the risk of unauthorized access to the workstation and the potential for data breaches.

Disabling the AutoRun and AutoPlay features on all workstations through Group Policy settings is the most direct and effective way to mitigate the risk of this new cybersecurity threat. This prevents the automatic execution of software from USB drives, effectively neutralizing the exploit.

Implementing cable locks for laptops and securing them to immovable objects in public spaces is an effective measure to prevent physical theft and unauthorized access. This provides a strong deterrent against opportunistic theft, ensuring that devices remain safe even when employees need to step away briefly.

Setting strong BIOS/UEFI passwords on all systems is the correct action to secure the boot process and prevent unauthorized access to BIOS/UEFI settings, which could compromise the workstation’s security.

Implementing strong BIOS/UEFI passwords along with enabling Secure Boot on all workstations provides a comprehensive security approach. BIOS/UEFI passwords protect against unauthorized access and changes to firmware settings, while Secure Boot ensures that the workstation boots only trusted software that hasn’t been tampered with. This combination effectively secures the workstation at both the firmware and boot levels, mitigating risks of malware and unauthorized system modifications.

Assigning users the minimum necessary permissions needed to perform their job functions, often referred to as the principle of least privilege, is the best approach for minimizing risks associated with unauthorized system changes. This strategy ensures that users have access only to the resources and data necessary for their roles, reducing the potential for accidental or malicious changes to the system.

Disabling all guest accounts on corporate workstations is a critical security measure to prevent unauthorized access to sensitive information. Guest accounts typically have limited security controls and can provide an entry point for unauthorized users to access the system, potentially leading to data breaches.

Utilizing Group Policy in Windows Active Directory to enforce screen saver locks across all workstations is the most efficient and effective method for implementing this security measure. This allows IT administrators to centrally manage and apply the policy to all workstations within the network, ensuring consistent application of the security measure and reducing the risk of human error or non-compliance.

Including a mix of uppercase, lowercase, numbers, and symbols in passwords is a recognized best practice that enhances password strength and security. This complexity makes passwords more difficult for attackers to guess or crack.

Implementing a policy that requires passwords to be at least 16 characters long, including a mix of character types (uppercase and lowercase letters, numbers, and symbols), and mandates regular changes (e.g., quarterly) is in line with current security best practices. This approach enhances password strength and reduces the risk of compromise over time.

Implementing a failed attempts lockout policy after three incorrect login attempts is an effective security measure that protects against brute-force attacks by temporarily locking the account after multiple failed login attempts.

Enabling screen saver locks with password protection on all workstations is a critical security measure that prevents unauthorized access to the workstation when the user is away. This practice ensures that any temporary absence does not become an opportunity for data breach or unauthorized system access.

Enabling BitLocker on Windows systems is the most direct and effective method to ensure data-at-rest encryption, protecting sensitive data on the hard drive from unauthorized access.