Physical Security | A+ Core 2

A+ Core 2 — 220-1102 | Domain 2.5

Physical Security

Locks, badges, biometrics, surveillance, and environmental controls. Physical access is the first line of defense — if an attacker can touch the hardware, all logical security can be bypassed.

19 Slides Domain 2.5 Access Controls • Surveillance • Environment Exam 220-1102

Slide 2 of 19

Defense in Depth

Layered security so that failure of one barrier does not expose the asset.

Principle

No single control is sufficient. Each layer adds time and detection probability. An attacker who defeats the perimeter still faces the building, then the server room, then the rack, then encryption on the device itself.

Slide 3 of 19

Access Vestibule

Formerly called a mantrap — CompTIA updated the terminology for 220-1102.

How It Works

Person enters first door, which locks behind them. Authentication (badge, biometric, guard approval) is required before the second door opens. If authentication fails, the person is contained between both locked doors.

Anti-Tailgating

Only one person can pass through at a time. Weight sensors or camera AI detect if more than one person has entered the vestibule. The outer door will not open if multiple occupants are detected.

Emergency Override

Fire alarm systems trigger fail-safe release, unlocking both doors for evacuation. Fail-safe vs. fail-secure is the key distinction: vestibule doors are fail-safe for life safety.

Exam Tip

CompTIA uses "access vestibule" on the 220-1102 exam. "Mantrap" may still appear as a distractor or legacy term. Know both. The defining characteristic is two interlocking doors where only one can be open at a time.

A visitor badge-swipes into a government building lobby. The outer door locks before the inner door can open. A guard on camera reviews the visitor's ID. Only then does the inner door release. That is a textbook access vestibule implementation.

Slide 4 of 19

Badge & Card Readers

Four technology types with different security profiles and attack surfaces.

Type	Technology	Security Level	Range
Magnetic Stripe	Data on magnetic strip	Low — easily cloned	Contact required
Proximity Card	Passive RFID, 125 kHz	Medium — cloneable with reader	1–6 inches
Smart Card	Embedded microprocessor, PKI	High — cryptographic challenge	Contact or contactless
NFC	Near Field Communication, 13.56 MHz	Medium-High	~4 inches

Best Practices

Multi-factor: badge + PIN for restricted areas. Expire and require renewal. Revoke immediately on termination or loss. Audit all badge swipes with timestamps. Issue visually distinct visitor badges requiring escort.

Tailgating vs Piggybacking

Tailgating: an unauthorized person follows an authorized one through a door without their knowledge. Piggybacking: the authorized person knowingly allows the unauthorized person through. Both are policy violations.

Slide 5 of 19

Biometric Security

Something you are — inherence factor. FAR, FRR, and CER are the key metrics.

Type	Method	Accuracy	Considerations
Fingerprint	Ridge pattern scan	High	Most common; moisture/dirt affects reads
Retina	Blood vessel pattern, back of eye	Very High	Most accurate; intrusive; health issues affect
Iris	Colored ring around pupil	Very High	Contactless; works through glasses; expensive
Facial Recognition	Facial geometry mapping	High	Lighting/angle dependent; privacy concerns
Voice	Vocal frequency analysis	Medium	Recordable/spoofable; affected by illness

FAR

False Acceptance Rate. Incorrectly grants access to an unauthorized person. A security risk. Lower is better for security-critical applications.

FRR

False Rejection Rate. Incorrectly denies access to an authorized person. A usability issue. Lower is better for high-traffic access points.

CER

Crossover Error Rate. The point where FAR equals FRR. Lower CER means a better, more balanced biometric system overall.

Slide 6 of 19

Door Locks

Fail-safe vs fail-secure is a top exam topic in this domain.

Lock Type	Mechanism	Best For
Deadbolt	Solid bolt into door frame	External doors; strong physical barrier
Cipher / Keypad	PIN code entry	Shared areas; no key management overhead
Smart Card Lock	Embedded chip, PKI	Corporate buildings; audit trail support
Biometric Lock	Fingerprint or facial scan	High-security; no lost keys or cards
Magnetic Lock (Maglock)	Electromagnetic force holds door	High-traffic doors; clean rooms

Fail-Safe

Door UNLOCKS when power fails. Life-safety priority. Use for fire exits and evacuation routes. Maglocks are typically fail-safe — they lose holding force on power loss, allowing escape.

Fail-Secure

Door LOCKS when power fails. Security priority. Use for server rooms, vaults, and data center cages. Assets remain protected during a power outage or UPS failure.

Slide 7 of 19

Video Surveillance

Camera placement, types, and DVR vs NVR storage systems.

Camera Type	Features	Best For
IP Camera	Network-connected, high-res, PoE, remote viewing	Modern installs; remote monitoring
Analog / CCTV	Coax cabling, lower resolution, DVR recording	Legacy systems; simple setups
PTZ	Pan-Tilt-Zoom, remote directional control	Large areas; parking lots; perimeters
Dome	Ceiling-mounted; direction ambiguous to viewers	Indoor; retail; offices
Infrared / Night Vision	IR LEDs for low-light visibility	Outdoor; after-hours; low-light areas

DVR vs NVR

DVR (Digital Video Recorder): works with analog cameras; records at DVR. NVR (Network Video Recorder): works with IP cameras; recording can be distributed. NVR supports higher resolution and remote access natively.

Placement Best Practice

Cover all entry/exit points. Use overlapping fields of view to eliminate blind spots. Retain recordings per policy (typically 30–90 days). Post surveillance signage as a legal requirement and deterrent.

Slide 8 of 19

Motion Detection & Alarms

Sensor types and the components that make up a complete alarm system.

Sensor Type	Detection Method	Best For
PIR (Passive Infrared)	Body heat and movement	Indoor rooms; hallways
Microwave	Microwave pulse reflection changes	Larger areas; penetrates thin walls
Ultrasonic	Sound wave reflection patterns	Enclosed rooms
Dual-Technology	PIR + microwave combined	High-security; reduced false alarms

Sensors

Door/window contacts, glass break detectors, motion sensors. Each zone is independently monitored and can trigger individual responses.

Control Panel

Central hub processes all sensor signals. Keypad arms/disarms with PIN. Connected to monitoring service for 24/7 dispatch capability.

Tamper Protection

Good systems detect attempts to disable sensors, cut wires, or jam wireless signals and immediately trigger a tamper alert regardless of armed state.

Slide 9 of 19

Equipment & Port Security

Cable locks, port blockers, and asset tracking at the device level.

Kensington Lock (K-Slot)

Industry-standard security slot on laptops, monitors, and projectors. Steel cable locks device to a fixed object. Available in key and combination versions. Deters casual theft; not resistant to determined attackers with cable cutters.

USB / RJ-45 Port Locks

Physical plugs that block unused USB and Ethernet ports. Require a special removal tool. Prevents unauthorized device connections and rogue network drops. Critical in high-compliance environments (PCI-DSS, HIPAA).

Asset Tags & GPS Tracking

Barcoded or RFID asset tags enable inventory tracking and ownership identification. GPS trackers provide real-time location for high-value mobile assets. Tamper-evident tape shows if equipment has been opened.

Privacy Screens

Polarized screen filters limit the viewing angle to approximately 60 degrees, preventing shoulder surfing in open offices, airports, and coffee shops. Required in regulated environments where PII is displayed.

Slide 10 of 19

Server Room Security

Physical access controls, rack security, and visitor policy in the data center.

Physical Access Controls

Multi-factor authentication: badge + biometric or badge + PIN. All visitors must be escorted and logged. Electronic access log records every entry and exit with timestamps. No windows — interior rooms without exterior walls are ideal. Continuous camera recording of all activity.

Server Rack Security

Locking cabinets: each rack has its own key or combination lock. Blanking panels cover unused rack spaces for proper airflow and to prevent unauthorized device insertion. KVM switches reduce keyboard/monitor access points. Organized cable management makes tampering auditable.

Data Destruction

When decommissioning server hardware, data sanitization is required. Options: physical destruction (shredding, degaussing), certified software wiping (DoD 5220.22-M), or cryptographic erasure for SSDs. Failure to sanitize is a data breach waiting to happen.

A technician in a hospital data center needs to replace a failed drive. Policy requires the tech to sign in with badge + PIN, be escorted to the specific rack, log the asset tag of the removed drive, and hand it to the security officer. The chain of custody prevents data exposure even on failed media.

Slide 11 of 19

Environmental Controls: HVAC

Temperature, humidity, and hot/cold aisle management in the data center.

Temperature Range

Recommended: 64–75°F (18–24°C). Overheating causes hardware failure and thermal throttling. Monitor individual rack temperatures, not just room average. Hot spots near exhaust sides of dense servers are common.

Humidity Control

Ideal: 40–60% relative humidity. Too low (dry): electrostatic discharge (ESD) risk — static can destroy components. Too high (humid): condensation and corrosion on circuit boards and connectors.

Hot / Cold Aisle

Racks alternate direction: cold aisle faces server intakes (receives cooled air from CRAC units), hot aisle faces server exhausts (routes hot air to ceiling return). Containment barriers prevent hot/cold mixing.

Metric	Warning Threshold	Critical Threshold
Temperature	Above 80°F / 27°C	Above 90°F / 32°C
Humidity	Below 30% or above 70%	Below 20% or above 80%
Water / Leak	Any detection	Rising level detected

Slide 12 of 19

Fire Suppression

Water-based systems destroy equipment. Clean agent systems protect it.

Wet Pipe Sprinkler

Pipes filled with water under pressure. Fastest response. High water damage risk to equipment. Generally not used in data centers but found in office spaces and building infrastructure.

Dry Pipe Sprinkler

Pipes filled with pressurized air; water held back by valve. Slightly slower response than wet pipe. Reduces accidental discharge from mechanical failure. Used in freezing environments and some data center perimeters.

Clean Agent (FM-200 / Novec 1230)

Gaseous suppression that does not damage equipment. Displaces oxygen or interrupts the combustion chain chemically. Safe for occupied spaces at design concentrations. Required in server rooms and data centers.

Pre-Action Systems

Two-event activation: smoke detector must trip first, then individual sprinkler heads respond. Prevents accidental water release from a single mechanical failure. Common in data centers where water damage is catastrophic.

Slide 13 of 19

Lighting, Fencing & Perimeter

Deterrence and detection start at the property boundary.

Security Lighting

Continuous lighting at all entry/exit points. Motion-activated floodlights for perimeter areas. Lighting eliminates concealment opportunities for would-be intruders. Ensure coverage overlaps to eliminate dark zones.

Fencing Standards

3–4 ft: deters casual trespassers (psychological deterrent). 6–7 ft: difficult to climb, serious barrier. 8 ft + barbed wire: used for high-security facilities, prisons, military. Fencing defines the boundary and channels traffic to monitored entry points.

Bollards

Short, sturdy posts preventing vehicle access. Fixed bollards permanently protect building entrances. Retractable bollards can be lowered for authorized vehicle access. Protect against vehicle-borne attacks and accidental impact from errant vehicles.

A company installs retractable bollards at the data center entrance after a security assessment identifies vehicle-borne intrusion as a risk. Fixed posts flank the retractable ones. The retractable bollards are controlled from the security desk — authorized delivery trucks can be let through; unannounced vehicles are blocked.

Slide 14 of 19

Security Personnel & Signage

Human controls and written notices that form the outermost deterrent layer.

Security Guards

Provide human judgment that automation cannot replicate. Verify identities, handle exceptions, respond to alarms, escort visitors, perform patrols. Guards are expensive but essential for high-security environments. Their presence is itself a deterrent.

Reception / Lobby Control

All visitors sign in with name, purpose, and time. Photo ID required. Visitor badge issued — visually distinct from employee badges. Visitor is escorted at all times beyond the lobby. Sign-out on departure; badge surrendered.

Surveillance Signage

"Area Under Video Surveillance" signs are both a legal requirement in many jurisdictions and a deterrent. Visible signage reduces the likelihood of opportunistic theft.

No-Photography Policies

Posted notices prohibiting photography of racks, equipment, cabling, or floor plans. Prevents social engineering reconnaissance and intellectual property leakage through photography.

Restricted Area Markings

Clear demarcation of areas requiring additional authorization. "Authorized Personnel Only" signage establishes the legal and policy framework for access violations and potential prosecution.

Slide 15 of 19

Protected Distribution & Cabling

Physical protection of network cabling prevents wiretapping and signal interception.

Protected Distribution System (PDS)

Conduit or duct protecting network cables in areas where physical access cannot be fully controlled. Required for classified networks in government and military environments. Conduit is sealed and inspected periodically.

Cable Management

Organized, labeled cabling makes unauthorized additions immediately visible. Patch panel documentation must match physical connections. Any unlabeled cable is a red flag during physical security audits.

Hardened Conduit

Steel conduit protects fiber and copper runs in public or semi-public areas. Prevents physical tapping via signal induction on copper or bending-attack eavesdropping on fiber. Required between buildings in campus environments.

Exam Tip

The A+ exam expects you to know that physical cabling is an attack surface. Fiber is harder to tap without detection than copper (signal loss is detectable), but proper conduit protects both. Unlocked server closets with exposed patch panels are a common finding in security assessments.

Slide 16 of 19

Locking Mechanisms & Key Control

Physical key management is as important as the locks themselves.

Key Control Program

All physical keys are issued under a signed receipt. Master keys are inventoried and stored in a key safe with access log. Lost keys trigger a lock re-core. Key duplication requires authorization and is logged.

Electronic Key Cabinets

Store physical keys in a secured cabinet that requires credential to access. Each key removed is logged with user ID and timestamp. Alerts generated for keys not returned by specified time. Common in hospitals, hotels, and data centers.

High-Security Cylinders

Medeco, Abloy, and Mul-T-Lock cylinders resist picking, drilling, and bumping. Restricted keyways prevent unauthorized duplication without authorization code. Used for server room doors and data center cabinets.

An employee is terminated. The IT team disables their badge, revokes their Active Directory account, and changes the shared server room combination. The physical security officer checks the key cabinet log — the employee had checked out a master key three days earlier and not returned it. A lock re-core is immediately ordered. This is why key logs matter.

Slide 17 of 19

Social Engineering & Physical Attacks

The human layer is the most exploited attack vector against physical security.

Tailgating

Unauthorized person follows an authorized person through a controlled door without the authorized person's awareness. Countermeasure: access vestibule, security awareness training, turnstiles.

Piggybacking

Authorized person knowingly lets an unauthorized person through. Often driven by social pressure ("I forgot my badge, can you let me in?"). Policy must require every individual to badge through independently — no exceptions.

Impersonation

Attacker poses as a vendor, contractor, IT support, or delivery personnel to gain physical access. Countermeasure: verify all vendors against an approved list; never grant access to someone you cannot independently verify.

Shoulder Surfing

Observing someone enter credentials, PINs, or view sensitive data. Countermeasures: privacy screens, position-aware workstation policies, screen lock on inactivity.

Dumpster Diving

Retrieving useful information from discarded materials. Policy: cross-cut shred all paper documents, degauss or physically destroy storage media before disposal.

Slide 18 of 19

Mobile Device Physical Security

Laptops, phones, and tablets leave the building — layered controls travel with them.

Full Disk Encryption

BitLocker (Windows), FileVault (macOS), or device-level encryption on mobile. If a laptop is stolen, encrypted data is unreadable without the key. The last line of defense when physical security fails.

Remote Wipe

MDM (Mobile Device Management) capability to remotely erase all data on a lost or stolen device. Enrollment in MDM is mandatory for corporate-owned devices. BYOD policies must address remote wipe authorization and scope.

Secure Boot + TPM

TPM 2.0 stores BitLocker keys and validates boot integrity. Secure Boot prevents unauthorized OS from loading. Together they ensure a stolen device cannot boot into an alternative OS to bypass encryption.

Exam Connection

The A+ exam links physical security to logical controls. Full disk encryption is the answer when someone asks "what prevents data exposure if a laptop is stolen?" Cable locks prevent theft. Encryption prevents data exposure after theft. These are complementary, not alternatives.

Slide 19 of 19

Domain 2.5 Key Facts

Physical Security — what the exam tests, condensed.

1

Defense in depth: concentric layers. Perimeter, building, server room, rack, device. No single layer is sufficient.

2

Access vestibule (formerly mantrap): two interlocking doors, one must close before the other opens. Prevents tailgating.

3

Fail-safe = unlocks on power loss (life safety). Fail-secure = locks on power loss (security first). Know which door gets which.

4

FAR / FRR / CER: FAR = false acceptance (security risk), FRR = false rejection (usability), CER = crossover point (quality metric).

5

Clean agent (FM-200, Novec 1230) is required for server rooms — water suppression destroys equipment. Pre-action systems prevent accidental activation.

6

Temperature: 64–75°F. Humidity: 40–60%. ESD from low humidity. Condensation from high humidity.

7

Hot/cold aisle: cold aisle faces intake, hot aisle faces exhaust. Containment prevents air mixing and improves cooling efficiency.

8

Full disk encryption is the final control when physical security fails. BitLocker + TPM + Secure Boot together prevent data extraction from a stolen device.