Home > Articles


This chapter is from the book

Logical Security Concepts


220-1002: Objective 2.2: Explain logical security concepts.

Because a computer is a combination of physical and logical systems, security practices must address both of these sides of computing. The physical components of security addressed in the previous section are only part of a good security plan and will be ineffective if the security policies stop there. Addressing software (logical) security practices is essential as well.

Active Directory

Active Directory is a Microsoft solution for managing users, computers, and information access in a network. It is based on a database of all resources and users that will be managed within the network. The information in the database determines what people can see and do within the network. Complete understanding of Active Directory is beyond the scope of this course, but every IT support person should know the basics of what it is and how it works. Here are the basics:

  • Login script: When a user logs onto the network, Active Directory knows who that user is and runs a login script to make the assigned resources available. Examples of login tasks include virus updates, drive mapping, and printer assignments.

  • Domain: The domain is a computer network or group of computer networks under one administration. Users log into the Active Directory domain to access network resources within the domain.

  • Group Policy: This is a set of rules and instructions defining what a user or group of users can or cannot do when logged into the domain. You may see the term Group Policy Object (GPO), which is a set of instructions assigned to a group of users or to certain machines on the network.

  • Organizational Unit (OU): OUs are logical groups that help organize users and computers so that GPOs can be assigned to them. For example, a team of accountants may be assigned to an OU, and their GPO may give them special access to financial records.

  • Home folder: This folder, which is accessible to the network administrator, is where the user’s data and files are kept locally.

  • Folder redirection: This allows for the work done by an OU to be saved on a common folder in the domain as directed by the administrator instead of the user. For example, a policy may indicate that all work must be kept in a common folder so all members of a team can see the latest work and updates.

Software Tokens

Like key fobs, mentioned in the previous section for physical security, software tokens are part of a multifactor authentication process. The difference is that software tokens exist in software and are commonly stored on devices.

An example of a software token is Google Authenticator, an app that is downloaded to a device and provides a shared secret key. The user logs in with his or her username and password, and the app runs an authenticating algorithm. This multifactor authentication is more secure than earlier versions of software tokens, which could be stolen.

MDM Policies

Organizations that have many mobile devices need to administer them such that all devices and users comply with the security practices in place. This is usually done with a suite of software known as mobile device management (MDM). The MDM marketplace is quite competitive, and several solutions are available from companies such as VMware (AirWatch), Citrix (XenMobile), and SOTI MobiControl. These products push updates and allow an administrator to configure many mobile devices from a central location. Good MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise.

Port Security

Disabling ports refers to using a firewall appliance or software firewall to prevent specified UDP or TCP ports from being used by a service, an application, a specific device, or all devices. Turning off unused ports makes it harder for hackers to find stealthy access into a machine.

MAC Address Filtering

Every network adapter, whether it’s built into a PC, is an add-on card, or is built into a specialized device such as a media adapter or a networked printer, has a unique identifier known as the media access control address, or MAC address. The MAC address (sometimes known as the physical address) is a list of six two-digit hexadecimal numbers. For example, a typical PC MAC address is FA-15-B7-89-6C-24. (MAC addresses are sometimes listed as 12 digits rather than in six groups of 2 digits.)

A MAC address is usually found on a label on the side of a network adapter. If an adapter is already installed, enter ipconfig /all at a command prompt to display the MAC address.

Because MAC addresses are unique, it is possible to control access to most wireless networks by allowing only certain addresses in. The practice of allowing only certain devices is sometimes called whitelisting. Some routers can also be configured to block a list of specified MAC addresses from accessing the wired network.

MAC address filtering can be a useful way to block casual hackers from gaining access to a small wireless (or wired) network, but it can be troublesome for a large network with many different devices coming into and going out of the system as each needs to be entered separately. MAC address filtering is discussed in further detail in Chapter 2, “Networking.”

It is possible to use software to change the MAC address of a network device (a feature sometimes referred to as MAC address cloning). Also, MAC addresses are not encrypted and can be detected by software used to hack networks. Thus, MAC address filtering alone should not be relied on to stop serious attacks.


Apps can sometimes hold viruses or other bugs that can cause trouble on a network. It is important to be sure all apps installed come from reliable sources and have been approved by the operating system vendor. App stores for iOS, Android, Windows 8 and later, macOS, and many Linux distros are examples of trusted sources of software.

However, not all software for an operating system comes from an app store. Digital certificates included in software are used to identify the publisher, and most operating systems display warning messages when an app without a digital certificate is being installed. Some settings block the installation of any app that does not have a digital certificate.

In Windows 10 the Certificate Manager keeps track of and check certificates. Figure 7-3 shows the Windows Certificate Manager with specific certificates listed in the right pane. To access Certificate Manager in Windows 10, click the Start button, type certmgr.msc in the search field, and press Enter.


FIGURE 7-3 Certificate Manager


Just as there is antivirus software for PCs, there is also antivirus/anti-malware software for mobile devices. These are third-party applications that need to be paid for, downloaded, and installed to the mobile device. Some common examples of reliable companies offering antivirus and anti-malware products include McAfee, Norton, and Trend, though many companies offer such products.

iOS works a bit differently from the other mobile operating systems. iOS is a tightly controlled operating system. One of the benefits of being a closed-source OS is that it can be more difficult to write viruses for it, making it somewhat more difficult to compromise. But there is no OS that can’t be compromised, and as Apple’s success has grown, efforts to write viruses for Apple machines have increased. McAfee, Norton, Trend Micro, and others have well-respected iOS protection products.


A firewall is a physical device or a software program that examines data packets on a network to determine whether to forward them to their destination or block them. A firewall can be a one-way firewall, which means it is used to protect against inbound threats only, or it can be a two-way firewall, which protects against both unauthorized inbound and outbound traffic. Most third-party firewall programs, such as ZoneAlarm, are two-way firewalls. A software firewall can be configured to permit traffic between specified IP addresses and to block traffic to and from the Internet except when permitted on a per-program basis.

A corporate network may use a proxy server with a firewall as the sole direct connection between the Internet and the corporate network and use a firewall in the proxy server to protect the corporate network against threats.

Physical firewalls are specialized computers whose software is designed to quickly analyze network traffic and make forwarding decisions based on rules set by the administrator. Over time, that task has been incorporated more and more into software on the computers and into the OS design. An example is Windows Defender Firewall in Windows 10, which is discussed later in the chapter.


Most current operating systems have some sort of firewall built in:

  • As initially configured, the standard firewall in Windows is a one-way firewall. However, it can be configured to work as a two-way firewall. For more information about how it works, see the section “Firewall Settings,” later in this chapter.

  • macOS includes an application firewall. In OS X 10.6 and newer, the application firewall offers additional customization options.

  • Linux, starting with distros based on kernel 2.4.x and later, includes iptables to configure netfilter, its packet-filtering framework. To learn more, see www.netfilter.org. Many distros and third-party Linux apps are available to help make iptables and netfilter easier to configure.

User Authentication/Strong Passwords

Authenticating users means making sure those who are logging in are truly who they say they are. Requiring passwords for user authentication can make systems more secure, but humans have proven pretty lax at voluntarily practicing security. To solve this problem, administrators should mandate strong passwords in their authentication settings.

Strong passwords that foil casual hackers have the following characteristics:

  • They are at least eight characters long; every character added to this minimum makes the password exponentially safer.

  • They include a variety of uppercase and lowercase letters, numbers, and symbols.

  • They do not include real names and words.

Multifactor Authentication

The best type of authentication system is one that uses two or more authentication methods. This is known as multifactor authentication. An example of this would be a person using a smart card and typing a username and password to gain access to a system. The combination of the password and the physical token makes it very difficult for imposters to gain access to a system.

Directory Permissions


Directory permissions is the term used in macOS and Linux for configuring the access levels a user has to a directory (folder) and individual files. In Windows, the equivalent term is file and folder permissions.

In Linux and macOS, directory permissions include:

  • Read (opens file but no changes)

  • Write (able to read and change file)

  • Execute (runs executable file or opens directory)

The chmod command is used in Linux to change directory permissions. In macOS, the Get Info menu’s Sharing & Permissions submenu is used to change directory permissions.

In Windows, file and folder permissions on an NTFS drive include:

  • Full control

  • Modify

  • Read & Execute

  • List folder contents (applies to folders only)

  • Read

  • Write

These settings are configured through the Security tab of the file or folder’s properties sheet. The chmod command and output are discussed in further detail in Chapter 6, “Operating Systems.”


A virtual private network (VPN) is a private and secure network connection that is carried by an insecure public network, such as the Internet. A VPN connection requires a VPN server at the remote site and a VPN client at the client site. VPN traffic between client and server is encrypted and encapsulated into packets suitable for transmission over the network. VPNs can be used in place of leased lines for connections between locations and for telecommuting workers.

The most common types of VPNs use Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP/IPsec). Tunneling refers to the practice of using encryption to shield traffic between the client and server from other traffic. PPTP uses 128-bit encryption, and L2TP combined with IPsec (L2TP/IPsec) uses 256-bit encryption. VPNs are discussed further in Chapter 2.


Data loss/leakage prevention (DLP) involves preventing confidential information from being viewed or stolen by unauthorized parties. DLP goes beyond normal digital security methods such as firewalls and antivirus software by observing and analyzing unusual patterns of data access, email, and instant messaging, whether the data is going into or out of an organization’s network.

Access Control Lists

Access control lists (ACLs) are lists of permissions or restriction rules for access to an object such as a file or folder. ACLs control which users or groups can perform specific operations on specified files or folders.

Smart Card

Smart cards can be used to enable logins to a network, encrypt or decrypt drives, and provide digital signatures when supported by the network server.

Email Filtering

Email filtering can be used to organize email into folders automatically, but from a security standpoint, its most important function is to block spam and potentially dangerous messages.

Email filtering can be performed at the point of entry to a network with a specialized email filtering server or appliance as well as by enabling the spam and threat detection features that are built into email clients or security software.

Spam or suspicious emails can be discarded or quarantined by the user, and false positives that are actually legitimate messages can be retrieved from the spam folder and placed back into the normal inbox.

Trusted/Untrusted Software Sources

As mentioned previously concerning certificates, app stores for iOS, Android, Windows, macOS, and many Linux distros are examples of trusted sources of software. Apps installed from these sources have been approved by the operating system vendor and awarded certificates.

But not all software for an operating system comes from an app store. Digital certificates included in software are used to identify the publisher, and most operating systems display warning messages when an app without a digital certificate is being installed. Some operating systems block the installation of any app that does not have a digital certificate. It is ultimately up to the user to determine the trustworthiness of a software source.

Principle of Least Privilege

Applying the principle of least privilege means giving a user access to only what is required to do his or her job. Most users in a business environment do not need administrative access to computers and should be restricted from functions that could compromise security.

While the principle of least privilege appears to be basic common sense, it should not be taken lightly. When user accounts are created locally on a computer—and especially on a domain—great care should be taken in assigning users to groups. Also, many programs, when installed, ask who can use and make modifications to the program; often the default is “all users.” Some technicians just accept the defaults when hastily installing programs without realizing that they are giving users full control of the program. It is an important practice to give clients all they need but limit their access to only what they need.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020