Menu
Welcome to ExamNotes by CertBlaster. In this edition, we will examine the Logical security concepts addressed in A plus 220-1002 sub-objective 2.2.
Active Directory (AD) describes a collection of services and related databases in Windows Server that can be used to control access to permitted Domains and activities.
Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002
AD is used to manage a Windows Domain using five services:
Active Directory Domain Services (AD DS) authenticates user accounts and provides authorization for user activity in the Domain.
Active Directory Certificate Services (AD CS) securely manages the identities of computers, users, and services.
Active Directory Federation Services (AD FS) is used with outside organizations to secure trust relationships.
Active Directory Rights Management Services (AD RMS) provides data security.
Active Directory Lightweight Directory Services (AD LDS) provides application security.
These services work together in order to organize the AD hierarchal structure from the top down. Active Directory creates a forest consisting of all the resources of a particular entity, such as a company or school, organized at the highest level.
Domain
The forest resources are organized into a domain such as mycompany.com or myschool.edu. The domain can contain one or more sites. A single site is usually sufficient, however sites can be created for each office location or campus.
Organizational Units
An organizational unit (OU) simplifies user and computer management, allowing technicians and administrators to make privilege assignments to the users and computers in the OU using Group Policy Objects (GPOs). An OU can contain user groups, allowing many users to have a specific set of privileges. A user can belong to as many user groups as needed.
Group Policy/Updates
Domain resources are controlled by the group policies that are applied to the OU. Privileges are assigned to users and computers. NTFS and share permissions can also be applied using group policies. When a GPO is modified, the update is automatically applied to all clients.
Login script/Logon script
Whenever a user logs on, a list of commands is executed. The commands are contained in logon script files. Logon scripts can be simple batch files or VBScript files. AD stores Logon scripts in the Netlogon network share.
Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002
Home Folder
By default, a user saves their files locally to their home folder C:UsersusernameDocuments folder. Active Directory can change the location of the home folder to a network share, allowing the user to access the folder from any workstation they’re logged on to. This process is called folder redirection.
Folder Redirection
Active Directory can change the Home folder location to a share on the network, referred to as folder redirection. This simplifies backup maintenance and provides user access from different computers.
Software tokens are a software generated security component used for authentication. Devices are synchronized with the server and the required information between the server and device is identical. Software tokens can serve as one factor during a multifactor authentication process.
Falling under the umbrella of Mobile device management (MDM), the term BYOD (Bring your Own Device) describes a corporate policy that allows an employee to use their own device in the corporate environment. MDM includes evaluation of the device by the company’s IT department in order to ensure the device meets corporate security requirements regarding software, patches, antimalware, firewall, VPN, login requirements, and encryption. Any software installations required for the device to meet MDM/BYOD policy are referred to as on-boarding. Corporate owned devices are configured to meet these same requirements.
Port security is used on switches in order to control which connected devices can communicate with each other.
MAC address filtering takes port security to the next level by using the device’s MAC address in order to permit (whitelist) or deny (blacklist) connections.
Digital certificates are used to authenticate users and web servers. Digital certificates are issued by a trusted third party, referred to as a Certification Authority (CA). The most common example of a CA occurs when a secure website is accessed and a padlock icon displays in the address bar, indicating that the site is secure. The certificate details can be viewed to validate the Certification Authority and the encryption. Users can create their own certificates in order to provide email recipients with their credentials.
Antivirus/Antimalware is a crucial component of computer protection. Often, both products will be rolled into one. In order to maintain the programs’ effectiveness, the antimalware and antivirus signatures must be updated frequently. Protection programs examine all traffic and compare the behavior and contents of files against those of known threats. If a match or suspicious file is discovered, the program will issue a warning and the file will be quarantined until a determination is made. Remember not to judge a file by its name alone. Trojans use the names of legitimate files. Leave the quarantined file alone and look for a replacement on a trustworthy site.
Fundamentally, there are two types of firewalls: hardware and software. In order to protect business and small networks against attack, hardware firewalls are often placed between the Internet and the network being protected, filtering the traffic that is allowed to pass onto the network. A software firewall is important too, not as a standalone solution but as an additional filter for the traffic coming in and out of the machine. A hardware firewall only inspects inbound traffic while a software firewall can inspect both inbound and outbound traffic. Hardware and software firewalls complement each other and even in the case of a SOHO, a hardware firewall will be incorporated into a broadband router. Software firewalls are often a part of the OS, for example, Windows Firewall on Microsoft OSes. These software firewalls are designed to interoperate with antivirus or antimalware packages. The software firewall is more easily configurable by the end-user should they find their normal activity blocked.
In a business environment, user authentication is required in order to access computer systems. A strong password is recommended. The password should be long, 16 or more characters, and use upper and lower case characters, numbers, and symbols. In the screenshot below, a strong password “K5wp#bLjp6B2G7-y” is provided by a random password generator. The generator also offers an easy way to remember this cryptic password with the phrase “KOREAN 5 walmart park # bestbuy LAPTOP jack park 6 BESTBUY 2 GOLF 7 – yelp.” Good luck with that!
Strong password generator
A strong password combined with a second form of authentication, such as biometrics, badge, or token, is referred to as Multifactor authentication. A very common multifactor method consists of a numeric keypad with an embedded fingerprint scanner. Other Multifactor authentication methods are as simple as a security badge combined with a passcode. An imposter may be able to obtain one factor, however, it is unlikely that the impostor will obtain both.
Directory permissions relate to the permissions allowed to a particular login or user. Unless specifically allowed, the hierarchy will explicitly deny permissions. Usually a user is a member of a group and will be given shared group permissions. If a user inherits a deny permission from the group but is explicitly allowed permission, the user will be allowed access.
A Virtual Private Network (VPN) offers a way to communicate securely over an insecure network (e.g. the Internet). The VPN is hosted by the business and creates a secure encrypted tunnel between remote users and the private network.
Data Loss Prevention (DLP) is less about physically losing data and more about user activities that can compromise data security. Operations such as sending email or moving files are scrutinized by DLP programs and even devices. Sensitive data is pre-classified to allow for categorization. Sometimes referred to as Data in Motion, DLP checks these activities for sensitive material.
When malicious activity is detected, the firewall has the ability to disable ports and protocols in order to stop the spread of malware.
Access Control Lists (ACLs) hold and manage a database of users and groups that are granted access to files and folders. Group membership helps manage this process. Keep in mind that a particular user may belong to one or more groups. In this case if permissions are not specifically set, access will be denied to the user. When multiple settings are listed, the user will be granted the lowest level of access specified in the groups.
See objective 2.1.
Email filtering is used by organizations to spot malicious or unapproved traffic coming in and out of the network. Email filtering can also be configured by the end-user for email clients and incoming email services in order to reduce spam and block unwanted senders.
When you are looking for a new program for your PC or mobile device, it is imperative that you think before you click. Always take steps to ensure that you are using a trusted source. Trusted sites include but are not limited to the device manufacturer, the software vendor (not “dump” sites), and your operating system’s update site. In most cases, this will be the iOS App Store, Google Play and the Windows Store. You will recognize a trusted site first by its familiar appearance, then the graphics (must be crisp), and the correct terminology (proper grammar).
First, carefully examine the graphics on the page for clarity as they well never look fuzzy or copied-pasted on a trusted website. Next, check the text for grammatical errors. Then examine the URL for accuracy as it should be readily identifiable. Software is the vehicle for most malware and in most cases, Malware can be surrounded around files that the user thinks is legitimate. Malicious programming can be hidden inside a legitimate file making it hard to detect.
These attacks can replace the contents of a file or simply rename a malicious file with something that appears trustworthy and as a result, will be executed. The defenses are multiple. For example, email and antivirus scanners will look for specified text strings or symbols within the file in order to determine the presence of malware. If the programming and disguise are clever enough, an infected program from an untrusted source can be unknowingly installed. Be vigilant.
Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002
With regards to access privileges on a network, less is better. This is where the Principle of Least Privilege (PoLP) comes in. The PoLP increases security by reducing the user’s privileges to only those necessary for their duties. This blocks ordinary users from installing software and from performing any other actions that are not permitted due to their job description. Privileges can be elevated when necessary, with temporary elevation lasting only for the duration of the specified activity. That’s all for 2.2! We hope you found it informative. Good luck on the test.
By continuing to browse this site, you accept the use of cookies and similar technologies that will allow the use of your data by CertBlaster in order to produce audience statistics- see our privacy policy.