Physical & Logical Security Measures
Key Takeaways
- Physical access usually equals full compromise: cable locks, badge readers, biometrics, access-control vestibules (mantraps), bollards, and cameras all delay or deter an attacker who reaches the hardware.
- Multi-factor authentication (MFA) requires factors from two or more DIFFERENT categories — knowledge, possession, inherence, location, or behavior — so password plus PIN is still single-factor.
- Least privilege gives users the minimum rights needed; Role-Based Access Control (RBAC) assigns those rights to roles, not individuals, simplifying audits and offboarding.
- When Windows share permissions and NTFS permissions both apply, the MOST restrictive effective permission wins; allow is cumulative but a single Deny overrides everything.
- Hardened account hygiene means renaming/disabling the default Administrator and Guest accounts, enforcing length plus complexity, and locking accounts after a small number of failed attempts.
Physical Security on the 220-1202 Exam
Security is Domain 2 of CompTIA A+ Core 2 (220-1202) and weighs 28% of the exam — the single heaviest tie with Operating Systems. The exam delivers a maximum of 90 questions in 90 minutes and you must score 700 on a 100–900 scale to pass. Many Security items are scenario or performance-based, so memorizing a control is not enough; you must pick the BEST control for a described situation.
Physical security assumes that an attacker who touches the hardware can often bypass software defenses (reset BIOS, boot a live USB, pull the drive). The job of physical controls is to deter, delay, and detect.
| Control | What it does | Exam trigger phrase |
|---|---|---|
| Cable lock | Kensington tether anchoring a laptop to a desk | "prevent walk-off theft of a laptop" |
| Badge / proximity reader | Card unlocks a door; logs every entry | "track who entered the data center" |
| Biometric lock | Fingerprint, iris, or facial scan | "highest-assurance door for a server room" |
| Access control vestibule (mantrap) | Two interlocking doors; only one opens at a time | "stop tailgating / piggybacking" |
| Bollard | Post that blocks a vehicle | "prevent ramming a glass entrance" |
| Video surveillance (CCTV) | Records and deters | "after-the-fact evidence of intrusion" |
| Motion sensor / alarm | Detects movement after hours | "alert on unauthorized entry" |
| Door lock types | Key, cipher/PIN, electronic, magnetic | "fail-safe vs fail-secure" |
Server / Wiring-Closet Hardening
- Restrict entry to named IT staff using badge + PIN or biometrics, not a shared key.
- Keep immutable access logs for auditing — the badge system answers "who and when."
- Maintain environmental controls: temperature/humidity monitoring and fire suppression.
- Point cameras at the door AND the racks; a lock without monitoring only delays.
Common trap: the exam distinguishes fail-safe (door unlocks on power loss — life safety) from fail-secure (door locks on power loss — asset protection). A data-center exterior door is usually fail-secure; a stairwell egress door is fail-safe.
Authentication Factors
MFA combines two or more of these distinct categories. Two items from the SAME category never count as multi-factor.
| Factor category | Means | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | Smart card, hardware token, phone push, USB security key |
| Something you are | Inherence (biometric) | Fingerprint, iris, facial, voice |
| Somewhere you are | Location | GPS, IP geolocation, geofencing |
| Something you do | Behavioral | Gait, typing rhythm, signature dynamics |
Worked example: A bank login asks for a password and then a one-time code from an authenticator app. That is true MFA — know + have. A login asking for a password plus a 4-digit PIN is still single-factor: both are knowledge.
Hardware tokens generate a Time-based One-Time Password (TOTP) that rotates every 30 seconds. SMS codes are the weakest MFA option because of SIM-swapping. A FIDO2/U2F security key (e.g., YubiKey) is phishing-resistant and is the exam's "strongest" possession factor.
Least Privilege, RBAC, and Windows Permissions
Principle of least privilege grants only the rights a task requires; a marketing hire should not see the finance share. RBAC assigns those rights to a role (Sales, Help-Desk, Admin) so onboarding/offboarding is a single group change.
NTFS vs Share Permissions
| Permission set | Applies to | Granularity |
|---|---|---|
| Share | Network access only | Read, Change, Full Control |
| NTFS | Local AND network | Full Control, Modify, Read & Execute, List, Read, Write |
When both apply, the system computes each set's effective permission, then takes the most restrictive of the two. Within a single set, allows are cumulative but a single Deny overrides all Allows. NTFS permissions inherit from the parent folder unless inheritance is broken.
Account & Password Policy
| Policy | Hardened value |
|---|---|
| Minimum length | 12+ characters (passphrase) |
| Complexity | Upper, lower, number, symbol |
| History | Remember last 12–24 |
| Account lockout | After 5 failed attempts |
| Lockout duration | 15–30 min or admin reset |
Disable or rename the built-in Administrator and Guest accounts, and give daily users Standard (not Administrator) accounts so User Account Control prompts on privilege escalation.
Logical Security Concepts You Must Distinguish
The exam separates three related ideas that students often blur together. Authentication proves who you are (login). Authorization decides what you may do once authenticated (permissions). Accounting (auditing) records what you did (logs). This is the AAA model, and 802.1X plus a RADIUS server is the most common AAA implementation tested.
Several additional account controls appear in scenario questions:
- Single Sign-On (SSO) lets one set of credentials unlock many apps; convenient but a compromised credential is now more dangerous, so it is usually paired with MFA.
- Time-of-day restrictions block logons outside business hours — a strong signal that a 3 a.m. login attempt is malicious.
- Login script maps drives and applies settings at sign-in via Group Policy.
- Lockout vs disable: lockout is temporary after failed attempts; disable is a deliberate, indefinite state used for departed employees so the account history is preserved for audit.
Scenario trap: "A user can log in but cannot open a folder" is an authorization problem (permissions), not an authentication problem. "A user cannot log in at all" is authentication. Reading the symptom correctly is how you pick the right fix on the exam.
Finally, remember the default-deny mindset that ties this section together: grant nothing by default, add explicit permissions per role, log everything, and review access regularly so privilege does not creep upward over time.
A help-desk tech logs in with a password and then taps an approve button on a push notification sent to their phone. What does this satisfy?
A folder has NTFS permission Modify for the Sales group, but the share permission for Sales is set to Read. What is the effective permission when a Sales user opens the folder over the network?
An access control vestibule (mantrap) primarily defends against which attack?