CompTIA A+ Core 2 (220-1102): Given a Scenario, Configure a Workstation to Meet Best Practices for Security

Introduction: Why Workstation Security Actually Matters

Let’s be real—workstation security isn’t some boring box you tick off for an audit or just something you memorized for the CompTIA A+. It’s your absolute first line of defense standing between all your company’s sensitive data, your users’ privacy, and everything else IT-related that you hold together day after day. It only takes one neglected machine—just one!—to blow up months of careful planning. Trust me, attackers are counting on us getting sloppy somewhere. These days, with everyone bouncing from the office to their living room and back again, every single device is basically a potential open door for trouble. Locking down those workstations isn’t just about passing a compliance check—it’s about keeping business running smoothly, and honestly, it helps everyone sleep a little better at night.

When we talk about 'best practices,' we’re not just talking theory—these are born from the ugly side of IT: actual breaches, ransomware chaos, regulatory facepalms, and all the headaches folks have had to learn from the hard way. When you’re actually securing a workstation, you’ve got to layer on technical settings, smart processes, and good old physical safeguards. This isn’t just a buzzword—it’s what we call 'defense in depth,' and it really does make a difference. Honestly, it’s a lot like protecting your house. You wouldn’t just lock the front door and call it a day—you’d want alarms, maybe a nosy neighbor keeping an eye out, the works. Rely on just one thing and you’re practically inviting the bad guys in.

Getting to Grips with Threats—and the Security Mindset

You can’t really defend your turf—IT or otherwise—unless you know what’s out there gunning for your stuff. So before you button up a workstation, you’ve really got to get a handle on what kinds of threats are lurking out there. So what’s actually out there waiting to mess up your day? Here’s the usual parade of trouble:

• Malware and ransomware—the whole soap opera: viruses, trojans, those nasty crypto lockers that’ll turn your files into gibberish.
• Phishing emails and social engineering scams—those fake messages that somehow trick people into handing over the keys to the kingdom.
• Unauthorized access—that could be some hacker halfway across the world, or maybe it’s just Bob from accounting, ticked off and poking around where he’s absolutely not supposed to. Either way, you don’t want anyone slipping in and acting like they own the place.
• Data theft is sneakier than you might think. I’ve seen folks try everything—copying files to a thumb drive when nobody’s watching, quietly forwarding sensitive reports to a personal email, or the classic: syncing company secrets to their own cloud drive. If you’re not watching, it’s gone.
• Physical loss or theft—because someone always manages to leave their laptop at a coffee shop, right?

Key principles:

• Least privilege: Only grant users and processes the permissions absolutely necessary for their role.
• Defense in depth: Multiple layers of security provide redundancy if one fails.
• Zero trust: Trust no device or user by default, even if inside the network perimeter. You’ve got to keep that little IT gut feeling switched on. Whenever you see a request pop up or someone’s asking for new access, just hit the brakes for a second and ask yourself: Wait a minute, who’s really asking here? What do they actually want? Should I be a little more suspicious right now? Honestly, half the time your best security sensor is just that gut feeling—the little alarm bell in your head telling you something’s off. Seriously, don’t brush that off! If you get that weird gut feeling something’s off—roll with it! Your instincts are usually on to something. Most of the time, when you get that little knot in your stomach, there’s actually something going sideways.

Picture security like one of those old-school jawbreakers from your childhood—there’s a different colored layer under every lick. The more layers you’ve got between your data and danger, the better. That’s how you want your defenses set up: every layer is just one more headache for the bad guys. You’ve got layer after layer to chew through before you ever get to what’s inside (your data!), which makes getting to the good stuff a real pain for anyone with bad intentions. That’s exactly how you want your security set up. At the core, you’ve got your sensitive data. Around that, you layer on things like authentication, hardening your OS, deploying security software, having firewalls in place, adding physical security—and let’s not forget good user policies. That way, anyone trying to break in has to fight their way through layer after layer—it’s not just one and done.

Operating System Hardening

OS hardening is your first technical defense. Default settings are rarely secure enough. The following best practices help reduce attack surface across platforms:

Okay, here’s how I like to lock down Windows 10 or 11 in the real world—these are my bread-and-butter steps for making sure the bad stuff can’t sneak in.

1. Apply all security updates: Use Windows Update or WSUS/SCCM/Intune for enterprise management.
2. Disable unnecessary services: E.g., Print Spooler, SMBv1 (Set-SmbServerConfiguration -EnableSMB1Protocol $false # That’ll do it!), legacy protocols.
3. Enable User Account Control (UAC): Set to "Always notify" for maximum security.
4. Turn on Microsoft Defender Antivirus and Firewall: Configure via Windows Security or Group Policy.
5. Review local policies: Use Group Policy Editor (gpedit.msc, Pro/Enterprise only) to enforce password, lockout, and audit settings. Honestly, I’m a big fan of grabbing standard security baselines—like the ones from Center for Internet Security—when I need proven templates to work from.
6. Disable Guest and unused accounts: net user Guest /active:no
7. Enable Secure Boot and BitLocker: Ensure TPM is available (tpm.msc), enable via Control Panel > BitLocker.
8. Configure audit policies: Enable logging for authentication, privilege use, and policy changes.

Lab Example:
- Want to get rid of SMBv1 fast? Just fire up PowerShell and...

Set-SmbServerConfiguration -EnableSMB1Protocol $false # That’ll do it!- Not using that printer? Head into Services, find Print Spooler, and set it to Disabled. One less thing for attackers to mess with.. That closes another hole the attackers might try to sneak through—so hey, that’s a win in my book every time.

Advanced: Deploy security baselines using Microsoft's Security Compliance Toolkit or Intune for scalable policy enforcement.

macOS Hardening Steps

1. Apply security updates via System Settings > General > Software Update (Ventura and newer) or System Preferences > Software Update (Monterey and earlier).
2. Enable the firewall: System Settings > Network > Firewall (Ventura+) or System Preferences > Security & Privacy > Firewall (older versions).
3. Disable remote login/services if unused (SSH, screen sharing): sudo systemsetup -setremotelogin off
4. Set up your Mac so it always demands a password when it wakes up, whether that’s after it’s gone to sleep or just the screensaver coming on. That way, nobody’s snooping around while you’re grabbing a coffee. No snooping while you grab a coffee! No free passes for wandering eyes! Let’s be honest—there’s always someone who’ll try their luck if you wander away. Lock it down so nobody can snoop around your stuff while you’re at the coffee machine.
5. Cut down on admin accounts—less is more! Make sure folks do day-to-day stuff with a standard user account.
6. Turn on FileVault to encrypt the disk—yeah, you’ll need admin rights, but it’s totally worth it.
7. Configure Gatekeeper to allow only App Store or signed apps: spctl --master-enable
8. Audit logs: Use Console app or log show

Lab Example:
- Enable FileVault: System Settings > Privacy & Security > FileVault > Turn On

Tip: Enforce security policies with MDM solutions such as Intune, Jamf, or Workspace ONE.

How I Batten Down the Hatches on Ubuntu LTS

1. Install and update UFW: sudo apt install ufw, then sudo ufw enable
2. Apply updates: sudo apt update && sudo apt upgrade; automate with unattended-upgrades or Landscape for enterprise.
3. Disable unused services: sudo systemctl disable service-name
4. Restrict sudo access to trusted users.
5. Set home directory permissions: chmod 700 /home/username
6. Enable AppArmor: sudo aa-enforce /etc/apparmor.d/* or SELinux if supported.
7. Set up auditd so you’ve always got a record of who did what and when—makes playing detective way easier if something weird pops up. No more guessing when something shady goes down! No more guessing when something goes sideways.
8. Enable full-disk encryption (LUKS) at install time; cryptsetup for post-install is complex.

Hardening Tips That Apply No Matter What OS You’re Running

• Don’t go making it harder on yourself—grab a good OS security checklist (personally, CIS Benchmarks are my go-to), and just work your way through it step by step.
• Look, if you can automate any part of your security setup, just go for it! Why waste your day repeating the same setup over and over? Seriously, try to automate whatever you can. Your future self will thank you when you’re not drowning in repetitive chores! Whether you’re all about PowerShell, obsessed with Bash scripts, or living your best life with Ansible, just use whatever tools make your life easier and keep your sanity intact. Honestly, stick with what works. No need to overcomplicate things just because the latest shiny tool is making the rounds. Hey, if it gets the job done, it’s the right tool—end of story. You’ll be amazed how much time and stress you save, and let’s face it, anything that helps you keep your hair is a win in IT! The more you can get off your plate, the fewer things you’ll forget—and that means way fewer midnight phone calls when things break. Trust me on that one. Take it from me—you’ll thank your past self when things get messy and you’ve already got all this locked down. There’s nothing better than being ready before the storm hits.
• Write down every change you make, every time. And always have a plan for undoing your work in case it blows up—because, let’s face it, sometimes it just does.

User Account Management

Controlling user accounts and privileges is vital. If you get sloppy with account management, you’re just asking for trouble: people get too much power, stuff leaks, and suddenly you’re cleaning up a mess that could’ve been avoided.

• Set people up with regular (non-admin) accounts for their everyday work. Admin rights should be rare, not the rule.
• Only put users in groups they genuinely need—think least privilege all the way.
• Remove or disable Guest and unused accounts immediately after staff changes.
• Check who’s in what group every so often, and seriously—automate those reports if you hate paperwork as much as I do.
• Stay sharp—watch out for users mysteriously becoming admins or service accounts acting odd. The first sign something fishy’s happening? When admin rights start shifting around or a service account starts acting weird. That’s your cue to dig in and see what’s up.

Windows

• GUI: Settings > Accounts > Family & other users > Add account
• CLI: net user username /add (add), net user username /delete (remove)
• Audit: net localgroup administrators to list local admins.

macOS

• GUI: System Settings > Users & Groups > Add Account
• CLI: sudo sysadminctl -addUser username
• Audit: dscl . -read /Groups/admin GroupMembership

For Ubuntu (and most Linux distros):

• Add: sudo adduser username
• Remove: sudo deluser username
• Assign to group: sudo usermod -aG groupname username
• Audit: getent group sudo or cat /etc/passwd

Common Mistake: Forgetting to disable accounts of departed users. Automate offboarding with directory integration and regular reviews.

Password Policies & Authentication

There’s just no way around it—your authentication needs to be rock solid. End of story. Balance security and usability using:

• Password length: 12+ characters, enforce complexity (upper/lowercase, numbers, symbols).
• Password managers: Deploy enterprise or vetted solutions such as Bitwarden or LastPass.
• Expiration: Change after suspected compromise or as required by policy—note: CompTIA A+ expects knowledge of periodic changes; real-world best practice may differ.
• Multi-factor authentication (MFA): Enforce for all sensitive access (local, remote, cloud). Let users pick the MFA method they actually like. Some swear by their authenticator app, others are obsessed with their Yubikey, and plenty just want a quick fingerprint or face scan. The easier it is, the more likely they’ll stick with it. If they’ll use it, you’re winning. The point is, if they’ll use it, everybody wins. If it keeps your users happy and your systems secure, I say go with it. Whatever fits your environment.
• Password storage: Use salted hashes (handled by OS); never store plaintext.

Implementation Examples

• Windows Local Group Policy: gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
• PowerShell: Set-LocalUser -Name "username" -PasswordNeverExpires $false
• macOS: pwpolicy -u username -setpolicy "minChars=12 requiresAlpha=1 requiresNumeric=1 requiresSymbol=1"
• Linux: Edit /etc/login.defs and /etc/pam.d/common-password

MFA Deployment: Use solutions such as Azure AD or Okta for Windows/macOS; libpam-google-authenticator or Yubikey for Linux. Document recovery procedures for lost devices.

Exam Objective Mapping: CompTIA A+ 220-1102 Objective 2.3 (Configure workstation security).

Let’s Talk Patch Management—Keeping Your Workstations Fresh and Safe

Updating OS, drivers, and applications closes vulnerabilities. If you’ve got more than a handful of machines, trust me—don’t try to update everything by hand! Don’t try to tackle updates by hand if you’re managing a bunch of machines—those central management tools will save you hours and plenty of headaches.

• Windows: Windows Update, WSUS/SCCM, Intune for policy-based, scheduled deployments.
• macOS: Software Update/MDM (Jamf, Munki); automate with policies.
• Linux: unattended-upgrades, Landscape, Canonical Livepatch for Ubuntu, or Ansible scripts for scale.

Patching Workflow

1. Inventory and categorize endpoints.
2. Schedule maintenance windows.
3. Test updates on pilot group.
4. Deploy and monitor for failures.
5. Roll back updates if critical issues arise. For Windows, use “Go back to previous version” in Update settings.
6. Report compliance using management tool dashboards.

Troubleshooting: For failed updates, check log files:
- Windows: C:\Windows\WindowsUpdate.log
- macOS: /var/log/install.log
- Linux: /var/log/apt/history.log

Firmware/UEFI Updates: Schedule regular firmware updates via vendor utilities such as Dell Command Update, Lenovo Vantage, and similar tools for security patches.

Exam Objective Mapping: CompTIA A+ 220-1102 Objective 2.4 (Given a scenario, use best practice procedures for software and hardware updates).

Security Software Deployment

Honestly, you’ve got to have good endpoint protection in place—no way around it.

• Antivirus/Antimalware: Windows (Microsoft Defender Antivirus), macOS (XProtect + third-party), Linux (ClamAV, chkrootkit, rkhunter).
• Endpoint Detection & Response (EDR): For advanced threats, use solutions such as Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, or Sophos Intercept X. These provide behavioral detection, automated response, and centralized reporting.
• Centralized Management: Use AV/EDR management consoles to push updates, run scans, review alerts, and enforce policy.
• Exclusions: Configure only as necessary (e.g., for performance or compatibility).

Lab: Deploy Defender ATP on Windows
- Enroll in Intune or SCCM.
- Push Defender ATP agent.
- Enforce scan schedule and real-time protection via Group Policy.
- Make it routine to check the Defender Security Center so nothing slips by. Trust me, you don’t want to discover something bad’s been hiding out in your environment for days just because you forgot to check.

Troubleshooting: For sluggish systems, check real-time scanning exclusions. Got malware that just refuses to leave? Don’t be afraid to get creative—sometimes a bootable AV stick, or even flattening the machine and starting fresh, is your only real option. Sometimes you’ve got to get creative—try a bootable AV stick, nuke the drive, or if it’s really being resistant, reimage the whole darn thing and move on. Yank that machine off the network right away, boot from a rescue stick and give it a thorough disinfecting. And if it’s still fighting you, sometimes you just have to throw in the towel—wipe it clean and restore from backup. Honestly, sometimes the only thing left is to wipe the system and give it a fresh start. Hey, it’s better than letting something nasty lurk in the background!

Exam Objective Mapping: CompTIA A+ 220-1102 Objective 2.3 (Configure workstation security).

Firewall Configuration

Set up your firewalls right, and you’ll keep out the unwanted guests while letting legit traffic through—balance is key!

• Default policy: Deny inbound except required services; restrict outbound as needed.
• Windows: Configure via Windows Defender Firewall (GUI or netsh advfirewall set allprofiles state on); advanced rules for apps/ports and logging.
• macOS: Enable via System Settings or sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on; use “Options” to configure allowed apps.
• Linux: Install and enable UFW (sudo apt install ufw, sudo ufw enable), set default deny, allow required ports only (sudo ufw allow ssh), and check status (sudo ufw status).

Advanced: Enable logging and regularly review logs for suspicious activity. Test firewall rules with tools such as nmap or Test-NetConnection (Windows PowerShell).

Troubleshooting: If legitimate apps are blocked, check rules and event logs, revert recent changes, and confirm local/remote connectivity before and after changes.

Keeping Data Safe: Encryption and Beyond

If you skip out on protecting your data, you’re not just flirting with fines—you could stop your company dead in its tracks or wreck your reputation for good.

• Full-disk encryption: Windows (BitLocker; Pro/Enterprise with TPM or USB key), macOS (FileVault; admin required), Linux (LUKS/dm-crypt at install; VeraCrypt for files/volumes).
• Recovery key management: Store keys in Active Directory (BitLocker), iCloud (FileVault), or secure vaults. Document and restrict access.
• File-level encryption: EFS (Windows), VeraCrypt, or GnuPG for sensitive files.
• Data Loss Prevention (DLP): Use built-in (Microsoft Endpoint DLP) or third-party DLP to restrict data exfiltration (e.g., block USB, monitor file transfers). You can roll out DLP rules and data controls using Group Policy, MDM, or whatever security dashboard you use. Make sure you lock everything down before trouble strikes.
• Backup: Implement local (encrypted drives) and cloud backup (OneDrive, iCloud, Google Drive with MFA and access logging). And please, actually test your restores instead of assuming they work. Nothing’s worse than a backup that’s useless when you need it.

Compliance: HIPAA/GDPR require encryption and documented backup/testing. Keep proof—logs, screenshots, or whatever your auditor will believe—that you’re really doing those backups and tests.

Here’s Dan’s Quick Data Protection Checklist:

• Full-disk encryption enabled and keys documented?
• Critical data backed up and test restores performed?
• USB ports restricted or monitored?
• DLP controls configured and active?
• Access and backup logs retained for compliance?

Let’s Not Forget Physical Security

You want to cut down risks of theft or physical snooping? Throw some old-school security in the mix—locks, secure placement, whatever it takes.

• Grab some cable locks or security brackets for laptops and desktops that sit out in the open.
• Secure storage for devices not in use; restrict public/visitor access.
• Lock server rooms and sensitive areas.
• Set up BIOS or UEFI passwords and switch on Secure Boot. And for the love of everything, keep those passwords somewhere safe—getting locked out is the worst. Disable USB/CD boot for users.
• Stick asset tags on your gear, keep track of what’s where, and always know who last grabbed what device.

Exam Objective Mapping: CompTIA A+ 220-1102 Objective 2.5 (Physical security).

Remote Access Security

Remote tools like RDP, VNC, SSH, and VPN? Yeah, you better keep those on a short leash.

• If you’re using RDP, make it accessible only through your VPN, always demand MFA and strong passwords. For outside connections, use an RDP Gateway.
• VNC should always use encryption and strong passwords, and honestly, don’t let it out on the open internet—keep it limited to the VPN or the local network.
• SSH: Disable password login (PermitRootLogin no, PasswordAuthentication no), use key-based auth, restrict by IP.
• For VPNs, stick to enterprise setups like AnyConnect or OpenVPN, turn on MFA, set session timeouts, and always keep an eye on those logs for anything weird.
• Track every remote login and set up alerts if something looks fishy.

Lab: Configure SSH Key Authentication

Fire up a terminal and run ssh-keygen -t ed25519 to create new SSH keys. Then use ssh-copy-id user@host to push your public key where it needs to go. PermitRootLogin no PasswordAuthentication no

Troubleshooting: Failure to connect? Check network, firewall, authentication method, and review log files (/var/log/auth.log on Linux, Event Viewer for Windows).

Safe Browsing & Application Practices

Believe it or not, browsers and random apps are two of the biggest troublemakers on any workstation.

• Lock down your browser—pop-up blockers, say goodbye to third-party cookies, force safe search, and add security add-ons like uBlock Origin or HTTPS Everywhere.
• If you’re managing more than a couple of users, roll out browser policies using Group Policy on Windows or MDM for Macs and Chromebooks.
• Application whitelisting: AppLocker (Enterprise/Education) or Software Restriction Policies (Pro) on Windows; Gatekeeper on macOS (spctl --master-enable), AppArmor/SELinux on Linux (sudo aa-enforce).
• Don’t let just anyone install apps, and always double-check and patch any third-party software before it becomes a problem.
• Keep tabs on browser extensions—ditch anything that’s not required. Too many plug-ins just means more things that can go sideways.
• Get your users in on the action—teach them how to spot phishing and sketchy downloads. Simulated phishing, believe it or not, really helps them catch on fast!

Lab: Configure AppLocker on Windows Enterprise

Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

Troubleshooting: Legitimate apps blocked? Review whitelisting rules and event logs, deploy exceptions as needed.

Monitoring, Logging & Incident Response

Effective monitoring and response can contain incidents before they escalate.

• Enable and forward OS logs: Windows Event Forwarding or SIEM integration; syslog or rsyslog for Linux; unified logging on macOS.
• Aggregate logs for analysis and alerting; use tools such as Splunk, ELK, or Microsoft Sentinel.
• Deploy EDR with incident detection and alerting.
• Develop incident response playbooks: document isolation, evidence collection, remediation, and post-incident review.
• Train users to promptly report suspicious activity; empower with "See Something, Say Something" policies.

Incident Response Flow:

1. Detect (alert/log/anomaly)
2. Isolate affected system (disconnect network)
3. Collect evidence/logs
4. Remediate (scan, clean, reimage if needed)
5. Reset credentials if compromise suspected
6. Report and review incident, update defenses

Lab: Respond to Suspected Phishing

1. User reports suspicious email
2. Isolate device from the network
3. Collect email sample and logs
4. Reset user's password and check account activity
5. Scan device for malware and remediate as needed
6. Document incident response steps

Secure Disposal of Data & Devices

Proper disposal is critical to prevent data recovery from retired devices.

• For HDDs: Use DBAN, diskutil secureErase (macOS), or shred (Linux; note: not always effective on SSDs).
• For SSDs: Use ATA Secure Erase (vendor tools), or physically destroy if high security required.
• Degaussing (for magnetic drives) or physical destruction (crushing, shredding) for sensitive data.
• Document the chain of custody and disposal method; maintain records for compliance.
• Always reinstall or reset OS before reassigning devices.

Regulatory & Policy Considerations

Many industries require strict workstation security controls. Examples:

• HIPAA: Encrypt ePHI, log access, document security controls, wipe devices before disposal.
• GDPR: Protect personal data, restrict retention, document consent/auditing.
• PCI-DSS: Encrypt cardholder data, restrict access, maintain audit logs.

Policy Enforcement: Use configuration management (GPO, MDM, automation) to enforce, document, and audit compliance. Prepare for audits with checklists and evidence such as logs, screenshots, and policy documents.

Sample Policy Template

• All endpoints must use full-disk encryption and unique user accounts.
• Critical updates installed within 14 days of release.
• Account and privilege reviews conducted quarterly.
• Devices disposed via certified erasure or destruction with chain-of-custody.

Mobile Device Management (MDM) Integration

MDM solutions such as Intune, Jamf, or Workspace ONE allow remote enforcement of security settings, app control, inventory, and compliance across workstations, laptops, tablets, and smartphones.

1. Enrollment: Register devices via company portal or provisioning profiles.
2. Policy Deployment: Push security policies—encryption, password, lockout, network configs, app restrictions.
3. Compliance Monitoring: Monitor device status, enforce remediation for non-compliance.
4. Remote Wipe: Wipe lost/stolen devices remotely to prevent data loss.

Example: In Intune, create a compliance policy requiring BitLocker/FileVault, enforce OS updates, and block unapproved apps.

Exam Objective Mapping: CompTIA A+ 220-1102 Objective 2.6 (Mobile device management).

Vulnerability Assessment & Remediation

Regular scanning identifies vulnerabilities before attackers do.

• Use tools such as Nessus, OpenVAS, or Qualys to scan endpoints for missing patches, misconfigurations, and weak controls.
• Integrate scan results with patch management workflow; document remediation steps and verify fixes.
• Schedule recurring assessments and retain reports for compliance.

Integrating Directory, Network, Cloud, and MDM Security

Centralize and automate security using:

• Directory services (Active Directory, Azure AD, Open Directory) for account, group, and policy management.
• Group Policy/MDM for scalable enforcement of security controls.
• Network segmentation (VLANs), NAC (802.1X), and Wi-Fi with RADIUS/MFA to limit access.
• Cloud storage secured with MFA, audit logging, and DLP (OneDrive, Google Drive, Dropbox).
• Automated onboarding/offboarding workflows for fast, secure user/device lifecycle management.

Performance Impact & Security vs. Usability

Some security features (encryption, AV/EDR scans) can slightly impact performance—usually <5% CPU during normal use. Test changes on a pilot group before org-wide rollout. Prioritize user feedback while maintaining required security levels. Monitor system performance after applying security settings and adjust as needed (e.g., schedule AV scans off-hours).

Consolidated Troubleshooting Checklist

• Malware Infection:

1. Isolate device from the network
2. Run updated AV/EDR scan (boot-time if possible)
3. Remove/quarantine threats or reimage if needed
4. Change user credentials and monitor logs

• Failed Updates:

1. Check update and system logs for errors
2. Verify network connectivity and disk space
3. Roll back problematic updates if required
4. Contact vendor support for persistent issues

• Lost or Stolen Device:

1. Initiate remote wipe via MDM
2. Disable user account and revoke access
3. Begin incident response and document actions

• Firewall/App Blocked:

1. Check firewall rules, event logs
2. Temporarily disable firewall if necessary to test connectivity
3. Update rules, re-enable firewall

Quick Reference: Security Best Practices per OS

Printable Workstation Security Checklist

• Apply OS & app updates
• Enable firewall and antivirus/EDR
• Enforce strong, unique user accounts (no sharing, no guest)
• Enforce password policy & MFA
• Configure backup & test restore
• Enable full-disk encryption
• Lock BIOS/UEFI, restrict boot devices
• Disable/secure remote access tools
• Restrict USB and removable media
• Train users on security basics
• Aggregate and monitor logs
• Wipe devices securely before disposal
• Document settings for compliance

Case Studies: Real-World Security Scenarios

Exam Preparation for CompTIA A+ Core 2 (220-1102)

Securing workstations is a core topic for CompTIA A+ Core 2. Here’s how to master it for the exam:

• Understand objectives: Know what each setting does and why it matters—not just memorization, but practical impact (see mapping below).
• Hands-on practice: Set up VMs for Windows, macOS, and Linux. Practice creating accounts, configuring policies, encrypting drives, and setting up firewalls.
• Troubleshooting focus: Study common issues (malware, failed updates, lost devices) and remediation steps.
• Exam “Gotchas”: Don’t forget details like needing Pro/Enterprise for BitLocker, AppLocker limitations, or how to reset an admin password safely.
• Use official objectives: CompTIA provides a downloadable list of official Core 2 Objectives for exam preparation.

Objective Mapping Table

Sample Exam Questions

1. You are configuring a Windows 11 Pro workstation for a finance user who handles sensitive data. Which three security steps are most important to implement?
   

• a) Enable BitLocker with TPM
• b) Disable Windows Defender Firewall
• c) Enforce password policy and MFA
• d) Grant local admin rights
• e) Enable automatic updates  Answer: a, c, e

1. Which tool is used to manage application whitelisting on Windows 10 Pro?
   

• a) AppLocker
• b) Software Restriction Policies
• c) Gatekeeper
• d) AppArmor  Answer: b (AppLocker is Enterprise/Education only)

1. What is the first step when a user reports a ransomware popup?
   

• a) Disconnect from the network
• b) Run antivirus scan
• c) Wipe and reimage device
• d) Notify law enforcement  Answer: a

Quick Reference Cheat Sheet

• Windows: Updates (Settings > Update), Defender (Settings > Security), BitLocker (Control Panel), GPO (gpedit.msc), AppLocker/SRP (GPO)
• macOS: Updates (System Settings), FileVault (Privacy & Security), Firewall (Network or Security & Privacy), Gatekeeper (Security), MDM (Company Portal/Jamf)
• Linux: Updates (apt update), UFW (sudo ufw enable), LUKS (at install), AppArmor/SELinux, adduser/usermod

Exam Scenario Walkthrough

Scenario: Configure a workstation for an HR manager with access to confidential employee data.

• Create a standard user account, remove unnecessary accounts
• Enforce 12+ character password, enable MFA
• Enable full-disk encryption (BitLocker/FileVault)
• Apply all OS and app updates, enable firewall
• Restrict USB ports via Group Policy/MDM
• Set up automatic backups and test restore process
• Document settings for compliance

Why: This approach aligns with least privilege, defense in depth, and data protection requirements—exactly what CompTIA A+ expects.

Conclusion: Stay Vigilant & Keep Practicing

Workstation security is an evolving, holistic process. Technology, threats, and regulations change rapidly, but best practices—layered defenses, regular updates, strong authentication, encryption, backups, monitoring, and user education—are constant. For the CompTIA A+ exam and the real world, focus on the “why” behind each step, practice hands-on configuration, and stay curious.

Your role as an IT pro is to champion security, support users, and continuously adapt. Stay vigilant, document your actions, and keep learning—because your diligence is the organization’s best line of defense.

You’ve got this. Now, go secure those workstations like the pro you are!