Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.7

Given a scenario, apply workstation security options and hardening techniques

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.7: Given a scenario, apply workstation security options and hardening techniques

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, apply. The candidate must implement encryption, password policy, BIOS/UEFI passwords, user practices, and account hardening.

What this objective tests

You should be able to apply the standard workstation hardening playbook: data encryption, strong password policy, firmware passwords, user behaviors, account restrictions, and feature disabling.

Key facts

Data-at-rest encryption:

  • Encrypts data on disk. If the drive is stolen or removed from the device, the data is unreadable.
  • Windows: BitLocker (whole drive), EFS (specific files).
  • macOS: FileVault.
  • Linux: LUKS (drive-level), eCryptfs/fscrypt (per-folder).
  • Required for any device that leaves the office (laptops, removable drives).

Password length:

  • The single most impactful password property. 12+ characters baseline; 16+ for any sensitive account.
  • A long passphrase ("correct horse battery staple") beats a short complex password ("P@ss1!") on attacker time-to-crack.

Character types:

  • Mix uppercase, lowercase, digits, special characters when complexity is required.
  • NIST modern guidance: prefer length over forced complexity.

Password uniqueness:

  • Different password for every account. If one site leaks, the others are not at risk.
  • A password manager is the only realistic way to maintain this at scale.

Password complexity:

  • Avoid common patterns, dictionary words, and personal info.
  • Password manager generated random passwords beat human-chosen passwords.

Password expiration:

  • Forced periodic password change. Modern NIST guidance discourages mandatory rotation because it pushes users to weak patterns ("Spring2024!" then "Summer2024!").
  • Still required by some compliance frameworks. If you must rotate, rotate less frequently (annual rather than 90 days).

BIOS / UEFI password:

  • Firmware-level password that gates BIOS/UEFI settings access and sometimes boot.
  • Prevents an attacker with physical access from changing boot order to load a recovery USB and bypass Windows login.
  • Set in firmware (F2/Del at boot). Document; lost firmware passwords often require motherboard service or specific vendor recovery process.

Screensaver lock:

  • Auto-lock after idle. Settings > Personalization > Lock screen > Screen saver settings > "On resume, display logon screen."
  • Standard at 5-15 minutes for office workstations.

Log off when not in use:

  • Best practice when stepping away. Stronger than just locking (kills the session vs preserving it).
  • For shared PCs, log off is the right move.

Secure / protect critical hardware (laptops):

  • Cable locks (Kensington), docking station locks, secure storage when not in use.
  • Encrypted disk + strong login = even theft doesn't immediately equal data loss.

Secure PII and passwords:

  • Don't write passwords on sticky notes. Don't store PII in plain-text documents.
  • Use password managers (1Password, Bitwarden, Dashlane, KeePass) and encrypted storage.

Password managers:

  • Generate and store strong unique passwords per site. One master password unlocks the vault.
  • Modern password managers also support MFA tokens, secure notes, credit cards.

Restrict user permissions:

  • Standard user account for daily work, separate admin account for IT tasks.
  • Least privilege at the OS level.

Restrict login times:

  • AD policy or local user account setting to allow login only during configured hours.
  • Reduces attack window for compromised credentials.

Disable guest account:

  • Off by default in modern Windows. Keep it off.

Failed attempts lockout:

  • Lock the account after N failed login attempts. Prevents brute force.
  • Configure in Group Policy: Account Lockout Threshold + Duration + Reset counter.
  • Typical: 5 attempts, 15-minute lockout.

Timeout / screen lock:

  • Auto-lock after idle (mentioned above, distinct here as the GPO setting).
  • Set via Group Policy or local screensaver settings.

Account expiration dates:

  • For temporary users (contractors, interns), set an account expiration date.
  • Account auto-disables on the date. No more "we forgot to disable the contractor's access six months ago" stories.

Change default administrator user account / password:

  • Built-in Administrator account in Windows has a known name. Rename it (Group Policy > Security Options > Accounts: Rename administrator account).
  • Set a strong password on it even though it's typically disabled in modern Windows.

Disable AutoRun:

  • AutoRun and AutoPlay automatically launched programs from removable media in older Windows. Major malware vector.
  • Modern Windows largely disables AutoRun by default; verify it's still off via Group Policy.

Disable unused services:

  • Reduce attack surface by disabling Windows services that aren't needed (legacy protocols, print spooler on systems that don't print).
  • Use services.msc to disable. Document what you disable so you can re-enable if needed.

Common gotchas

  • Password expiration as a quick win. NIST and many modern security frameworks advise against mandatory rotation. Length + uniqueness + MFA are more impactful.
  • BIOS password lost. Without vendor recovery process, motherboard service might be required.
  • Cable lock cut. Determined thieves cut cables; locks are deterrent, not defeat. Pair with encryption.
  • Account lockout DoS. Five failed attempts locks a user; an attacker brute-forcing usernames can lock out the real users. Tune carefully.
  • Disabled service breaks something. Random services aren't always cosmetic; some are dependencies. Test in non-production first.
  • AutoRun assumed off, isn't. Verify with Group Policy or registry, not just "Windows 10/11 disabled it."

Real-world context

Standard workstation hardening checklist:

  1. Encryption: BitLocker enabled with TPM. Recovery key escrowed.
  2. Login: Windows Hello PIN or biometric. Password backup with manager.
  3. Account model: Standard user for daily work. Separate admin for IT.
  4. UAC: Default level or higher.
  5. Lock: Screen lock at 10 minutes idle. Manual lock on step-away (Win+L).
  6. Password policy: 14+ characters, no rotation requirement, MFA required for any cloud/remote access.
  7. AV/EDR: Real-time on, definitions current, scheduled scans weekly.
  8. Firewall: Default on, Domain profile when on the corporate network.
  9. Patching: Windows Update automatic, ideally managed via WSUS/Intune.
  10. Backup: OneDrive/Google Drive folder backup or equivalent.
  11. Removable media: AutoRun disabled. USB write blocking for high-risk environments.
  12. Firmware: BIOS/UEFI password set. Boot from external media disabled.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.7](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [NIST SP 800-63B: Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
  • [Microsoft Learn: BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/)
  • [Microsoft Learn: Account lockout policy](https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
  • [CIS: Windows Benchmarks](https://www.cisecurity.org/benchmark/microsoft_windows_desktop)