PracticeStudy GuidesBlogFlashcardsEspañol

Physical & Logical Security Measures

Key Takeaways

  • Physical security measures include cable locks, server room access controls (badge readers, biometrics), security cameras, mantraps/vestibules, and bollards — physical access to a device often means full compromise.
  • Multi-factor authentication (MFA) uses two or more factors: something you know (password), something you have (smart card, phone), something you are (biometrics), and somewhere you are (location).
  • The principle of least privilege means users should only have the minimum permissions necessary to perform their job — excessive permissions increase risk.
  • Access control lists (ACLs) define which users or groups can access specific resources and what level of access they have (read, write, execute, full control).
  • Strong password policies require minimum length (12+ characters recommended), complexity (uppercase, lowercase, numbers, symbols), expiration intervals, and account lockout after failed attempts.
Last updated: March 2026

Physical & Logical Security Measures

Physical Security

Physical security prevents unauthorized access to hardware and infrastructure:

ControlDescription
Cable LocksKensington lock attaching laptop/equipment to a desk
Badge/Card ReaderProximity or smart card reader for door access
Biometric LocksFingerprint, iris, or facial recognition for high-security areas
Mantrap / Security VestibuleTwo-door entry system — only one door open at a time (prevents tailgating)
Security Cameras (CCTV)Surveillance recording and deterrence
Motion SensorsDetect movement in restricted areas
BollardsPhysical barriers preventing vehicle access to buildings
FencingPerimeter security around facilities
SignageWarning signs for restricted areas, no trespassing
LocksTraditional key locks, combination locks, electronic locks
LightingAdequate lighting deters intruders and aids camera surveillance
GuardsSecurity personnel for access control and incident response
Alarm SystemsAlert security when unauthorized access is detected

Server Room Security

  • Access should be restricted to authorized IT personnel only
  • Use electronic access control (badge + PIN or biometric)
  • Maintain access logs for auditing
  • Environmental controls: temperature monitoring, fire suppression, humidity control
  • Surveillance cameras pointed at entrances and equipment racks

Authentication Factors

Multi-factor authentication (MFA) combines two or more of the following factor categories:

FactorCategoryExamples
Something you knowKnowledgePassword, PIN, security questions
Something you havePossessionSmart card, security token, phone (SMS/app), USB key
Something you areInherence (Biometric)Fingerprint, iris scan, facial recognition, voice
Somewhere you areLocationGPS location, IP address geolocation

Key Distinction: Using a password + a PIN is NOT multi-factor authentication because both are "something you know." True MFA requires factors from different categories (e.g., password + fingerprint, or password + phone app code).

Common MFA Implementations

  • SMS code — One-time code sent to phone (least secure MFA — vulnerable to SIM swapping)
  • Authenticator app — Time-based one-time password (TOTP) from apps like Google Authenticator or Microsoft Authenticator
  • Hardware token — Physical device that generates codes (YubiKey, RSA SecurID)
  • Push notification — Approve/deny prompt on phone
  • Biometric — Fingerprint or facial recognition

Access Control Principles

Principle of Least Privilege

  • Users receive only the minimum permissions needed to perform their job
  • Reduces risk if an account is compromised
  • Example: A marketing employee should not have access to financial databases

Role-Based Access Control (RBAC)

  • Permissions are assigned to roles, not individual users
  • Users are assigned to roles based on their job function
  • Example roles: Admin, Manager, Employee, Contractor, Guest

NTFS Permissions (Windows)

PermissionCapability
Full ControlRead, write, modify, delete, change permissions
ModifyRead, write, delete files and subfolders
Read & ExecuteView files and run programs
List Folder ContentsView folder contents
ReadView file contents
WriteCreate files and write data

Permission Inheritance: Permissions assigned to a parent folder are inherited by all subfolders and files unless explicitly blocked.

Share Permissions vs. NTFS Permissions

FeatureShare PermissionsNTFS Permissions
Applies toNetwork access onlyLocal AND network access
GranularityRead, Change, Full Control6 levels (see above)
When both applyMost restrictive permission winsMost restrictive permission wins

Password Policies

PolicyRecommended Setting
Minimum Length12+ characters
ComplexityUppercase, lowercase, numbers, special characters
Maximum Age90 days (or use passphrase with no expiration)
Minimum Age1 day (prevents immediate cycling)
HistoryRemember last 12–24 passwords
Account LockoutLock after 5 failed attempts
Lockout Duration15–30 minutes (or until admin unlocks)

User Account Types

Account TypePermissionsUse Case
AdministratorFull system controlSystem administration (use sparingly)
Standard UserRun programs, modify own files onlyDaily use (recommended default)
GuestVery limited, temporary accessVisitor access (disable when not needed)
Power UserBetween Admin and Standard (legacy)Legacy applications needing elevated access
Service AccountRuns background servicesDatabase, web server, backup services
Test Your Knowledge

A user logs in with a password and then scans their fingerprint. What type of security is this?

A
B
C
D
Test Your Knowledge

What is a mantrap (security vestibule) designed to prevent?

A
B
C
D
Test Your Knowledge

According to the principle of least privilege, a new marketing employee should:

A
B
C
D
Up Next

Malware Types & Threat Mitigation

Continue learning