Security Fundamentals

A+ Core 2 — 220-1102 | Domain 2: Security

Security
Fundamentals

CIA Triad, authentication vs. authorization, Active Directory, Group Policy, password policies, and data classification. Domain 2 accounts for 25% of the Core 2 exam.

21 Slides Domain 2 Security — 25% CIA • MFA • AD • GPO • Policies Exam 220-1102

Slide 2 of 21

The CIA Triad

The three core properties every security control is designed to protect.

Confidentiality

Information is accessible only to those authorized to see it. Controls: encryption, access controls, need-to-know principle, data classification. Violated by: unauthorized access, eavesdropping, data theft.

Integrity

Data is accurate, complete, and unmodified by unauthorized parties. Controls: hashing (MD5/SHA-256), digital signatures, version control, change management. Violated by: tampering, corruption, man-in-the-middle.

Availability

Systems and data are accessible to authorized users when needed. Controls: redundancy, backups, RAID, load balancing, disaster recovery. Violated by: DoS attacks, hardware failure, ransomware.

Slide 3 of 21

Authentication vs. Authorization

Two distinct security operations that are frequently confused — and frequently tested.

Authentication (AuthN)

WHO are you? The process of verifying identity. Happens FIRST. Methods: username + password, smart card, biometrics, certificate. Result: identity is confirmed or denied. Systems: Kerberos, RADIUS, LDAP.

Authorization (AuthZ)

WHAT can you access? Determines what resources an authenticated identity is permitted to use. Happens AFTER authentication. Methods: ACLs, RBAC, permissions, Group Policy. Systems: Active Directory, IAM.

Concept	Authentication	Authorization
Question answered	Who are you?	What can you do?
Sequence	Step 1 (always first)	Step 2 (after AuthN)
Failure result	Access denied (wrong credentials)	Access denied (insufficient permissions)
Analogy	Badge swipe at the door	Which rooms you can enter

AAA Framework

Authentication + Authorization + Accounting. Accounting = logging who did what and when. RADIUS and TACACS+ implement all three components for network access control.

Slide 4 of 21

Authentication Factors

Three primary categories — MFA requires two or more from DIFFERENT categories.

Factor	Category	Examples	Weakness
Know	Knowledge	Password, PIN, security questions	Guessable, phishable, forgettable
Have	Possession	Smart card, TOTP token, phone, key fob	Can be lost, stolen, cloned
Are	Inherence / Biometrics	Fingerprint, retina, face, voice	Cannot be changed if compromised
Where	Location	GPS, IP geolocation	VPN bypass; less reliable

Critical MFA Rule

MFA requires factors from TWO DIFFERENT categories. Password + PIN is NOT MFA (both are "something you know"). Password + TOTP code = true MFA.

Slide 5 of 21

Defense in Depth

Multiple overlapping security layers so no single failure exposes critical assets.

Why Layers Matter

No single control is perfect. Defense in depth ensures an attacker who bypasses one layer faces additional barriers. Also called "layered security" or "castle approach."

Principle of Least Privilege

Users and systems should have only the minimum permissions needed to perform their function. Reduces the blast radius if an account is compromised. Closely related: need-to-know.

Separation of Duties

No single person has complete control over a critical process. Requires collusion between multiple people to commit fraud. Example: one person requests payment, another approves it.

Slide 6 of 21

Active Directory Basics

Microsoft's directory service for centralized identity and access management in Windows domains.

Domain

A logical grouping of network objects: users, computers, printers, groups. All share a common directory database stored on the Domain Controller. Name format: company.local or company.com.

Domain Controller (DC)

Windows Server that hosts Active Directory. Authenticates users via Kerberos, enforces Group Policy, stores the AD database (NTDS.dit). Best practice: two or more DCs for redundancy.

Organizational Unit (OU)

Container within a domain for organizing AD objects. OUs can nest inside each other. Group Policy Objects (GPOs) are applied at the OU level for granular control over users and computers.

Feature	Workgroup	Domain
Scale	Under 10 computers	Hundreds to thousands of computers
Management	Decentralized (each PC manages itself)	Centralized (Domain Controller)
Accounts	Local accounts only	Domain accounts (Active Directory)
Policy application	Local Security Policy per PC	Group Policy Objects (GPOs)
Requires	Nothing additional	Windows Server license + DC

Join a Domain

Settings → Accounts → Access work or school → Connect → Join this device to a local Active Directory domain. Requires domain admin credentials. Machine reboots after join.

Slide 7 of 21

Group Policy Objects (GPO)

Centralized settings that control behavior of users and computers in a domain.

GPO Processing Order (LSDOU)

Local — applied first; lowest priority

Site — based on geographic AD site

Domain — applied to entire domain

OU — applied last; highest priority, wins conflicts

What GPOs Control

Password and account lockout policies

Software installation and restriction

Drive mapping and folder redirection

Desktop and Start Menu restrictions

Windows Firewall rules and audit policies

gpupdate /force

Forces immediate re-application of all Group Policy settings on a computer. Run in elevated cmd or PowerShell. Use after making GPO changes to test without waiting for the 90-minute refresh cycle.

gpedit.msc (Local)

Local Group Policy Editor — manages policies on a single standalone or workgroup machine. Available on Windows Pro/Enterprise. Not available on Windows Home. Server uses Group Policy Management Console (GPMC).

secpol.msc

Local Security Policy — subset of gpedit.msc focused on security settings: account policies, audit policy, user rights assignment, and security options. Available on all Windows editions except Home.

Slide 8 of 21

Password & Account Lockout Policies

Password Policy Settings
Policy	Purpose	Typical
Minimum length	Floor on password length	8-14 chars
Complexity	Upper, lower, number, symbol required	Enabled
Maximum age	Force periodic changes	90 days
Minimum age	Prevent instant re-change	1 day
History	Prevent reuse of recent passwords	24 passwords

Account Lockout Policy
Setting	Purpose	Typical
Lockout threshold	Failed attempts before lockout	3-5 tries
Lockout duration	How long account stays locked	15-30 min
Reset counter	Time to reset failed attempt count	15-30 min

NIST 800-63B Current Guidance

Recommends longer passphrases over complex short passwords. No forced periodic changes unless compromise is suspected. Block commonly used passwords and compromised password lists. Length beats complexity.

Lockout Duration = 0

Setting lockout duration to 0 means the account stays locked INDEFINITELY until an administrator manually unlocks it. Effective against brute force but increases help desk load.

Slide 9 of 21

Single Sign-On & Federation

SSO (Single Sign-On)

Authenticate once to access multiple systems without re-entering credentials. Reduces password fatigue. One account to disable = revokes all access. Active Directory Kerberos is the primary enterprise SSO for Windows domains.

Kerberos

Ticket-based authentication used by Active Directory. Steps: (1) Client requests TGT from KDC. (2) KDC issues TGT. (3) Client uses TGT to request service tickets. (4) Service ticket grants access to specific resource. Port 88.

SAML / OAuth / OIDC

Web-based federation standards. SAML = XML-based, enterprise (used for SSO to SaaS). OAuth = authorization delegation ("Sign in with Google"). OIDC = OAuth extension for authentication. Common in cloud environments.

Protocol	Type	Port	Use Case
Kerberos	Authentication (ticket-based)	88	Active Directory domains
LDAP	Directory query protocol	389 / 636 (TLS)	AD queries, user lookups
RADIUS	AAA for network access	1812/1813	VPN, wireless, 802.1X
TACACS+	AAA with full encryption	49	Network device (router/switch) admin

Slide 10 of 21

Data Classification & Handling

Classification Level	Description	Examples	Controls
Public	No harm if disclosed	Marketing, press releases, public website	No restrictions
Internal	Internal use only	Org charts, internal memos, policies	Basic access controls
Confidential	Sensitive business data	Financial reports, contracts, customer lists	Encryption, NDA, ACLs
Restricted / Secret	Highest sensitivity	PII, trade secrets, classified data	Strict need-to-know, full encryption

PII (Personally Identifiable Information)

Data that can identify a specific individual: SSN, driver's license, financial accounts, medical records, biometrics, email + full name combined. Governed by GDPR, HIPAA, PCI DSS, state privacy laws. Breach requires notification.

Data Handling Requirements

Encrypt data at rest and in transit. Apply retention policies (keep only as long as needed). Proper disposal: shred paper, wipe or destroy drives. Label classified assets. Train users on classification levels.

A technician finds a USB drive in the parking lot with no label. Correct action: do NOT plug it in (baiting attack). Turn it in to security. Never connect unknown storage media to a corporate machine.

Slide 11 of 21

Physical Security Controls

Access Control Vestibule

Also called a mantrap. Small room with two doors; second door doesn't open until first closes. Prevents tailgating by allowing only one person to enter at a time. Required in high-security environments like server rooms and data centers.

Badge / Access Card Systems

Proximity cards (RFID), smart cards (with chip), or biometric systems. Provides granular access to specific areas at specific times. All access logged for auditing. Lost/stolen cards can be immediately disabled.

Video Surveillance

CCTV cameras at entries, exits, server rooms, and sensitive areas. Provides deterrence (visible cameras) and evidence. Retention policy determines how long footage is stored. Monitored in real time or reviewed after incident.

Server Room Security

Locked rack enclosures • Biometric or key card access • Raised floor, proper cooling • No windows or with window bars • Environmental monitoring (temperature, humidity, water detection) • UPS for power continuity

Cable Management

Cable locks for laptops (Kensington lock). Cable management prevents accidental disconnection. Locks on server rack rear panels prevent unauthorized access to cable connections. Document all patch panel connections.

Mobile Device Physical Security

Screen lock with PIN/biometric. Remote wipe capability. Full disk encryption. Device tracking. MDM enrollment for corporate devices. Asset tagging. Policy against leaving devices unattended in public.

Slide 12 of 21

Wireless Security Protocols

Protocol	Encryption	Key Length	Status
WEP	RC4	40/104-bit	Broken — never use
WPA	TKIP (RC4-based)	128-bit	Deprecated — avoid
WPA2-Personal	AES-CCMP	128-bit	Acceptable; KRACK vulnerability
WPA2-Enterprise	AES-CCMP + 802.1X/RADIUS	128-bit	Recommended for corporate
WPA3	AES-GCMP + SAE	192/256-bit	Current standard

Wireless Attack Types

Evil twin — rogue AP mimicking a legitimate SSID

Deauth attack — forces clients to reconnect (captures handshake)

WPS attack — PIN brute-force; disable WPS entirely

War driving — mapping open/weak networks from a vehicle

Wireless Hardening

Use WPA3 or WPA2-Enterprise where possible

Change default SSID and admin credentials

Disable WPS (PIN authentication)

Isolate guest network from corporate VLAN

Slide 13 of 21

Encryption Fundamentals

Symmetric Encryption

Same key encrypts and decrypts. Fast, efficient for bulk data. Key exchange problem: how do you securely share the key? Examples: AES (128/192/256-bit, standard today), 3DES (deprecated), Blowfish. Used for data at rest, disk encryption.

Asymmetric Encryption

Key pair: public key encrypts, private key decrypts. Slower but solves key exchange problem. Examples: RSA (2048-bit minimum), ECC (smaller keys, same strength). Used for TLS handshake, digital signatures, certificate exchange.

Algorithm	Type	Key Size	Use Case
AES-256	Symmetric	256-bit	BitLocker, TLS, file encryption
RSA	Asymmetric	2048+ bit	Certificate exchange, signatures
SHA-256	Hashing	256-bit output	File integrity, password storage
MD5	Hashing	128-bit output	Legacy; collision vulnerability
ECC	Asymmetric	256-bit = RSA 3072	TLS, mobile devices

Slide 14 of 21

PKI & Digital Certificates

PKI Structure

Public Key Infrastructure. CA (Certificate Authority) issues and signs certificates. Root CA is the trust anchor. Intermediate CA signs end-entity certs. Chain of trust must be verified top-down. Browsers ship with root CA certificates pre-installed.

X.509 Certificate Contents

Subject (owner), issuer (CA), serial number, public key, validity dates, signature algorithm, extensions (SAN, key usage). Common formats: .cer/.crt = DER/PEM certificate, .pfx/.p12 = includes private key (password protected).

Certificate Revocation

CRL (Certificate Revocation List) = downloaded list of revoked certs. OCSP (Online Certificate Status Protocol) = real-time check per certificate. OCSP Stapling improves performance by bundling response with TLS handshake.

TLS Handshake Summary

Client Hello (supported ciphers) → Server Hello + Certificate → Client validates cert chain → Key exchange (RSA or ECDHE) → Session keys established → Symmetric encryption begins. Certificate validates server identity and enables key exchange.

Slide 15 of 21

Account Types & Privilege Management

Account Type	Purpose	Risk Level	Best Practice
Standard User	Day-to-day tasks, no elevation	Low	Default for all end users
Local Administrator	Full control of single machine	High	Disable default, use named admin accounts
Domain Admin	Full control of entire domain	Critical	Use only when needed; log all use
Service Account	Runs applications/services	Medium-High	Minimum permissions; no interactive login
Guest Account	Temporary limited access	Medium	Disable by default; use dedicated guest VLAN

Privilege Escalation

Attacker gains higher permissions than originally granted. Vertical: user to admin. Horizontal: user to another user's data. UAC (User Account Control) prompts mitigate local privilege escalation by requiring explicit approval for elevated actions.

PAM (Privileged Access Management)

Solutions that control, monitor, and record all privileged account usage. Features: just-in-time access (grant only when needed), session recording, credential vaulting (no one knows the actual password). Examples: CyberArk, BeyondTrust.

Slide 16 of 21

Security Policies & Frameworks

Acceptable Use Policy (AUP)

Documents what users are permitted to do with company systems and data. Covers: internet usage, software installation, data handling, personal device policies (BYOD). All employees must sign. Foundation for disciplinary action.

Change Management Policy

Formal process for requesting, approving, testing, and documenting all system changes. Prevents unauthorized changes that could introduce vulnerabilities or break functionality. Steps: request → review → approve → test → implement → document.

Incident Response Policy

Defines how the organization identifies, responds to, and recovers from security incidents. Assigns roles and responsibilities. Establishes escalation paths and communication requirements. Reviewed and updated annually.

BYOD Policy

Bring Your Own Device policies govern personal devices accessing corporate resources. Must address: MDM enrollment, data segmentation, remote wipe rights, minimum OS version, corporate app catalog, and off-boarding procedures.

Clean Desk / Screen Lock

Clean desk policy: no sensitive documents visible when workstation unattended. Screen lock: automatic lock after 5-15 minutes of inactivity. Ctrl+L (Windows+L) immediate lock. Prevents shoulder surfing and unauthorized physical access.

Slide 17 of 21

Zero Trust Architecture

Never trust, always verify — even inside the corporate network perimeter.

Old Perimeter Model (Broken)

Trust everything inside the firewall. Once through the perimeter, full network access. Problem: insider threats, VPN-connected compromised endpoints, and cloud resources all bypass the perimeter. This model failed catastrophically in the 2010s.

Zero Trust Principles

Verify explicitly — always authenticate and authorize

Use least privilege access

Assume breach — design as if you're already compromised

Microsegment networks to limit lateral movement

Continuous monitoring and validation

Identity as the New Perimeter

In Zero Trust, the identity of the user and device replaces network location as the trust boundary. Strong MFA, device health checks (MDM compliance), and conditional access policies gate every resource request.

Microsegmentation

Divides network into isolated zones at the workload level. Even if an attacker compromises one segment, lateral movement to other segments is blocked. Implemented via software-defined networking (SDN) or next-gen firewalls.

SASE & SD-WAN

Secure Access Service Edge combines Zero Trust Network Access (ZTNA), CASB, SWG, and firewall into a cloud-delivered security stack. Enforces policy regardless of user location (office, home, or mobile).

Slide 18 of 21

Compliance & Regulations

Framework / Law	Scope	Key Requirement
HIPAA	US healthcare — protected health information	PHI encryption, access controls, breach notification
PCI DSS	Payment card data	Card data encryption, network segmentation, quarterly scans
GDPR	EU citizens' personal data (global reach)	Data minimization, right to erasure, 72-hr breach notification
SOX	US public companies — financial data integrity	Audit trails, access controls, change management
NIST CSF	Voluntary US framework	Identify, Protect, Detect, Respond, Recover
ISO 27001	International ISMS standard	Risk management, documented controls, certification audit

A+ Technician Compliance Awareness

A+ technicians implement controls that satisfy compliance requirements: encryption at rest (BitLocker), encryption in transit (TLS), access controls (NTFS permissions, GPO), and audit logging (Windows Event Log). Know which regulation governs which data type.

Slide 19 of 21

Mobile Device Security

MDM (Mobile Device Management)

Centrally manages mobile devices. Enforces: PIN/biometric lock, encryption, app whitelist/blacklist, OS version requirements. Enables remote wipe (full or selective). Push security policies without user action. Examples: Intune, Jamf, Workspace ONE.

Mobile Threats

Jailbreak / rooting — removes OS security sandbox

Sideloaded apps — apps from outside official stores

Smishing — SMS-based phishing links

Malicious profiles — installs rogue CA (iOS)

Remote Wipe Procedures

Full wipe = factory reset, destroys all data (used when device is compromised or employee departing). Selective wipe = removes only corporate data and apps, preserves personal content (used for BYOD). Requires MDM enrollment in advance.

BYOD Security Tradeoffs

BYOD reduces hardware costs but introduces unmanaged devices onto corporate networks. Mitigation: MDM containerization separates work and personal apps, VPN requirement, certificate-based authentication, and network access control (NAC) checks device health before granting access.

Slide 20 of 21

Knowledge Check

Three exam-style questions covering core security fundamentals.

Q1: CIA Triad Component

A DoS attack that takes down a web server violates which CIA Triad component?

A) Confidentiality • B) Integrity • C) Availability • D) Authorization

Answer: C) Availability — DoS attacks prevent legitimate users from accessing systems, directly attacking availability.

Q2: GPO Processing Order

Which GPO has the HIGHEST priority and wins conflicts with other GPOs?

A) Local GPO • B) Site GPO • C) Domain GPO • D) OU GPO

Answer: D) OU GPO — LSDOU order: OU is applied last and overrides all preceding policies.

Q3: MFA Validity

A user logs in with a password and a PIN. Is this MFA?

A) Yes, two factors used • B) No, both are the same factor type • C) Yes, if on different devices • D) Only if PIN is numeric

Answer: B) No — Password and PIN are both "something you know." True MFA requires factors from DIFFERENT categories.

Slide 21 of 21

Chapter Summary

01

CIA Triad: Confidentiality (only authorized access), Integrity (data unaltered), Availability (always accessible when needed).

02

Authentication = WHO are you (identity verification). Authorization = WHAT can you access (permissions). Authentication always comes first.

03

MFA requires factors from TWO DIFFERENT categories. Password + PIN is single-factor (both are "know"). Password + TOTP = true MFA.

04

GPO Processing Order (LSDOU): Local → Site → Domain → OU. OU has highest priority and wins all conflicts.

05

Defense in depth: Physical → Network → Host → Application → Data. No single layer is sufficient.

06

Least privilege: Grant only minimum permissions required. Reduces blast radius when accounts are compromised.

07

WPA3 is the current wireless standard. WEP is completely broken. WPA2-Enterprise with 802.1X/RADIUS is the corporate minimum.

08

Password policies: NIST recommends long passphrases over forced complexity. Lockout threshold = 3-5 attempts; duration 0 = admin unlock required.

09

Data classification: Public → Internal → Confidential → Restricted. PII requires encryption and breach notification compliance.

10

Zero Trust: Never trust, always verify. Identity is the new perimeter. Microsegment to limit lateral movement. Assume breach.

Security Fundamentals | A+ Core 2