A plus 1002 Sub-objective 2.2 – Dumps4shared

A plus 1002 Sub-objective 2.2

A plus 1002 Sub-objective 2.2 – Explain logical security concepts.

Welcome to ExamNotes by Dumps4shared. In this edition, we will examine the Logical security concepts addressed in A plus 220-1002 sub-objective 2.2.

Go back to A+ 220-1002 Domain 2.0 table of content

Active Directory

Active Directory (AD) describes a collection of services and related databases in Windows Server that can be used to control access to permitted Domains and activities.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

AD is used
to manage a Windows Domain using five services:

Active Directory Domain Services (AD DS)
authenticates user accounts and provides authorization for user activity in the

Active Directory Certificate Services (AD CS)
securely manages the identities of computers, users, and services.

Active Directory Federation Services (AD FS)
is used with outside organizations to secure trust relationships.

Active Directory Rights Management Services
provides data security.

Active Directory Lightweight Directory
Services (AD LDS)
provides application security.

services work together in order to organize the AD hierarchal structure from
the top down. Active Directory creates a
consisting of all the resources of a particular entity, such as a
company or school, organized at the highest level.


The forest
resources are organized into a domain such as mycompany.com or myschool.edu.
The domain can contain one or more sites.
A single site is usually sufficient, however sites can be created for each
office location or campus.

Organizational Units

organizational unit (OU) simplifies user and computer management, allowing
technicians and administrators to make privilege assignments to the users and
computers in the OU using Group Policy Objects (GPOs). An OU can contain user
groups, allowing many users to have a specific set of privileges. A user can
belong to as many user groups as needed.

Group Policy/Updates

resources are controlled by the group policies that are applied to the OU. Privileges
are assigned to users and computers. NTFS and share permissions can also be
applied using group policies. When a GPO is modified, the update is
automatically applied to all clients.

Login script/Logon script

Whenever a user logs on, a list of commands is executed. The commands are contained in logon script files. Logon scripts can be simple batch files or VBScript files. AD stores Logon scripts in the Netlogon network share.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Home Folder

By default,
a user saves their files locally to their home folder C:\\Users\\username\\Documents folder. Active Directory
can change the location of the home folder to a network share, allowing the
user to access the folder from any workstation they’re logged on to. This
process is called folder redirection.

Folder Redirection

Directory can change the Home folder location to a share on the network, referred
to as folder redirection. This
simplifies backup maintenance and provides user access from different

Software Tokens

Software tokens are a software generated security component used
for authentication. Devices are synchronized with the server and the required
information between the server and device is identical. Software tokens can
serve as one factor during a multifactor authentication process.   

MDM policies BYOD vs. corporate

Falling under the umbrella of Mobile device management (MDM), the
term BYOD (Bring your Own Device) describes a corporate policy that allows an
employee to use their own device in the corporate environment. MDM includes
evaluation of the device by the company’s IT department in order to ensure the
device meets corporate security requirements regarding software, patches,
antimalware, firewall, VPN, login requirements, and encryption. Any software
installations required for the device to meet MDM/BYOD policy are referred to
as on-boarding. Corporate owned devices are configured to meet these same

Port security

security is used on switches in order to control which connected devices can
communicate with each other. 

MAC address filtering

MAC address filtering
takes port security to the next level by using the device’s MAC address in
order to permit (whitelist) or deny (blacklist) connections.


Digital certificates
are used to authenticate users and web servers. Digital certificates are issued
by a trusted third party, referred to as a Certification Authority (CA). The
most common example of a CA occurs when a secure website is accessed and a
padlock icon displays in the address bar, indicating that the site is secure. The
certificate details can be viewed to validate the Certification Authority and the
encryption. Users can create their own certificates in order to provide email
recipients with their credentials.


Antivirus/Antimalware is a crucial component of computer
protection. Often, both products will be rolled into one. In order to maintain the
programs’ effectiveness, the antimalware and antivirus signatures must be
updated frequently. Protection programs examine all traffic and compare the
behavior and contents of files against those of known threats. If a match or
suspicious file is discovered, the program will issue a warning and the file will
be quarantined until a determination is made. Remember not to judge a file by
its name alone. Trojans use the names of legitimate files. Leave the
quarantined file alone and look for a replacement on a trustworthy site.


Fundamentally, there are two types of firewalls: hardware and software. In order to protect business and small networks against attack, hardware firewalls are often placed between the Internet and the network being protected, filtering the traffic that is allowed to pass onto the network. A software firewall is important too, not as a standalone solution but as an additional filter for the traffic coming in and out of the machine. A hardware firewall only inspects inbound traffic while a software firewall can inspect both inbound and outbound traffic. Hardware and software firewalls complement each other and even in the case of a SOHO, a hardware firewall will be incorporated into a broadband router. Software firewalls are often a part of the OS, for example, Windows Firewall on Microsoft OSes. These software firewalls are designed to interoperate with antivirus or antimalware packages. The software firewall is more easily configurable by the end-user should they find their normal activity blocked.

User authentication/strong

In a business environment, user authentication is required in
order to access computer systems. A strong password is recommended. The
password should be long, 16 or more characters, and use upper and lower case
characters, numbers, and symbols. In the screenshot below, a strong password “K5wp#bLjp6B2G7-y”
is provided by a random password generator. The generator also offers an easy
way to remember this cryptic password with the phrase “KOREAN 5 walmart park #
bestbuy LAPTOP jack park 6 BESTBUY 2 GOLF 7 – yelp.” Good luck with that!

Strong password generator

Multifactor Authentication

A strong password combined with a second form of authentication, such as biometrics, badge, or token, is referred to as Multifactor authentication. A very common multifactor method consists of a numeric keypad with an embedded fingerprint scanner. Other Multifactor authentication methods are as simple as a security badge combined with a passcode. An imposter may be able to obtain one factor, however, it is unlikely that the impostor will obtain both.

Directory permissions

Directory permissions relate to the permissions allowed to a
particular login or user. Unless specifically allowed, the hierarchy will explicitly
deny permissions. Usually a user is a member of a group and will be given
shared group permissions. If a user inherits a deny permission from the group
but is explicitly allowed permission, the user will be allowed access.


A Virtual Private Network (VPN) offers a way to communicate
securely over an insecure network (e.g. the Internet). The VPN is hosted by the
business and creates a secure encrypted tunnel between remote users and the
private network.


Data Loss Prevention (DLP) is less about physically losing data and more about user activities that can compromise data security. Operations such as sending email or moving files are scrutinized by DLP programs and even devices. Sensitive data is pre-classified to allow for categorization. Sometimes referred to as Data in Motion, DLP checks these activities for sensitive material.

Disabling ports

When malicious activity is detected, the firewall has the
ability to disable ports and protocols in order to stop the spread of malware.

Access control lists

Access Control Lists (ACLs) hold and manage a database of users
and groups that are granted access to files and folders. Group membership helps
manage this process. Keep in mind that a particular user may belong to one or
more groups. In this case if permissions are not specifically set, access will
be denied to the user. When multiple settings are listed, the user will be
granted the lowest level of access specified in the groups.


See objective 2.1.

Email filtering

Email filtering is used by organizations to spot malicious or unapproved traffic coming in and out of the network. Email filtering can also be configured by the end-user for email clients and incoming email services in order to reduce spam and block unwanted senders.

Trusted/untrusted software

When you are looking for a new program for your PC or mobile
device, it is imperative that you think before you click. Always take steps to
ensure that you are using a trusted source. Trusted sites include but are not
limited to the device manufacturer, the software vendor (not “dump” sites), and
your operating system’s update site. In most cases, this will be the iOS App
Store, Google Play and the Windows Store. You will recognize a trusted site
first by its familiar appearance, then the graphics (must be crisp), and the
correct terminology (proper grammar).

First, carefully examine the graphics on the page for clarity as
they well never look fuzzy or copied-pasted on a trusted website. Next, check
the text for grammatical errors. Then examine the URL for accuracy as it should
be readily identifiable. Software is the vehicle for most malware and in most cases,
Malware can be surrounded around files that the user thinks is legitimate.
Malicious programming can be hidden inside a legitimate file making it hard to

These attacks can replace the contents of a file or simply rename a malicious file with something that appears trustworthy and as a result, will be executed. The defenses are multiple. For example, email and antivirus scanners will look for specified text strings or symbols within the file in order to determine the presence of malware. If the programming and disguise are clever enough, an infected program from an untrusted source can be unknowingly installed. Be vigilant.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Principle of least privilege

With regards to access privileges on a network, less is better.
This is where the Principle of Least Privilege (PoLP) comes in. The PoLP
increases security by reducing the user’s privileges to only those necessary
for their duties. This blocks ordinary users from installing software and from performing
any other actions that are not permitted due to their job description. Privileges
can be elevated when necessary, with temporary elevation lasting only for the
duration of the specified activity.
That’s all for 2.2!
We hope you found it informative. Good luck on the test.

Pass Your IT Certification Exams With Free Real Exam Dumps and Questions

Full Version 220-1002 Dumps