Physical Security for CompTIA A+ 220-1102

Badge readers / key card access: proximity cards (RFID) or smart cards grant entry to secured areas. Log entry and exit times for audit trails. PIN pads: numeric keypad access — susceptible to shoulder surfing, wear patterns on frequently-pressed keys. Biometric access: fingerprint readers, palm scanners, iris scanners, retinal scanners — uniqueness prevents sharing credentials. Multifactor door access: badge + PIN = two factors (something you have + something you know). Mantrap (airlock): two interlocking doors where the first must close before the second opens. Prevents tailgating. Guards: human presence for deterrence and decision-making. Video surveillance (CCTV): monitors and records activity — deterrent and forensic value. Badge readers log who entered a room; surveillance shows what they did. Visitor management: sign-in logs, visitor badges, escort requirements.

Kensington lock (cable lock): steel cable attached to a laptop or desktop via a security slot (Kensington Security Slot — K-slot). Prevents opportunistic theft of laptops in public or semi-secure areas. Not a complete security solution — cables can be cut with tools. Desktop locks: security panels that bolt over computer ports or lock the case. Equipment cages: lockable metal cages for servers, network equipment, or workstations in shared spaces. Locked server rooms: secure rooms with access control for servers and network infrastructure. Equipment inventory tags: asset tags (barcodes, QR codes, RFID) on all hardware for inventory and theft tracking. GPS tracking: laptops and mobile devices can be tracked via built-in GPS or software (Find My, Prey). Secure mounting: wall-mount network equipment out of casual reach.

Tiered access: not everyone who works in an office needs server room access. Strictly limit access to authorized personnel. Data center standards: Tier 1 through Tier 4 classify redundancy and availability, not physical security specifically. However, high-tier data centers have extensive physical security: multi-factor badge + biometric + mantrap + guards + cameras. Equipment cages: individual organizations' equipment secured within cages inside a shared data center. Raised floors: improve airflow but also allow cable runs — secure access panels. Cold and hot aisle containment: also limits physical access to hot equipment. Hardware disposal: decommissioned servers may contain sensitive data — proper sanitization required before disposal. Server locks: servers often have front panel locks to prevent opening the case or removing drives.

Tailgating / piggybacking: following an authorized person through a secured door without authenticating. Prevention: enforce badge-in for everyone, use mantraps, train staff to challenge unknown persons. Impersonation: attacker dresses as IT support, delivery person, or inspector to gain physical access. Prevention: require visitor logs, escort visitors, verify identity with a manager. Dumpster diving: recovering sensitive information from discarded documents or equipment. Prevention: shred all documents, degauss or destroy hard drives before disposal, use cross-cut shredders. Shoulder surfing: viewing screens or keyboards in public. Prevention: privacy screens (screen filters that block side-angle viewing), position monitors away from public areas. Physical eavesdropping: recording conversations or intercepting audio/video. Prevention: secure meeting rooms, soundproofing for sensitive discussions.

Clean desk policy: lock or remove sensitive documents from desks when not in use. No sensitive data visible on unattended screens. Screen lock: configure workstations to lock after a short inactivity period (Win+L manually). Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Interactive logon: Machine inactivity limit. Privacy screens: attach to monitors to limit the viewing angle — prevent shoulder surfing. Locking cabinets: file cabinets with sensitive documents should be locked. Equipment disposal: shred documents, wipe drives, physically destroy media that cannot be securely wiped. Badge policies: badges must be worn visibly at all times in secure facilities. Challenge unknown personnel without visible badges. Secure areas: mark secure areas clearly and enforce access controls.