2.7 Given a scenario, apply workstation security options and hardening techniques.
📘CompTIA A+ Core 2 (220-1202)
What is Account Management?
Account management means controlling how user accounts are created, used, limited, and removed on a computer or network.
The goal is to protect the system, prevent unauthorized access, and reduce damage if an account is misused.
In an IT environment, account management is usually handled using:
- Windows Local Users and Groups
- Active Directory (in domain environments)
- Group Policy
1. Restrict User Permissions
What it means
Restricting user permissions means giving users only the access they need to do their job and nothing more.
This follows the Principle of Least Privilege.
Types of user accounts
- Administrator
- Full control over the system
- Can install software, change settings, manage other users
- Should be used only when necessary
- Standard User
- Limited permissions
- Can run programs and access their own files
- Cannot install system-wide software or change security settings
Why this is important
- Reduces the risk of malware causing system-wide damage
- Prevents accidental system changes
- Limits what an attacker can do if an account is compromised
Exam tip
CompTIA expects you to know that most users should NOT be administrators.
2. Restrict Log-In Times
What it means
Restricting log-in times allows administrators to define when a user is allowed to log in to a system.
This is usually configured in:
- Active Directory user account settings
Why this is used
- Prevents access outside approved hours
- Reduces risk during off-hours when systems are less monitored
- Helps enforce company security policies
Key points
- Users can be blocked from logging in during certain days or times
- Common in business and school environments
Exam tip
This is a preventive security control.
3. Disable Guest Account
What is the Guest Account?
The Guest account is a built-in account that allows temporary access without a password.
Why it should be disabled
- No accountability (many users share the same account)
- Very limited logging and tracking
- Can be abused for unauthorized access
Best practice
- Always disable the Guest account
- Create proper user accounts instead
Exam tip
If you see “Guest account enabled” in a question, it is usually a security risk.
4. Use Failed Attempts Lockout
What it means
A failed attempts lockout locks a user account after a certain number of incorrect password attempts.
Example settings:
- Lock account after 5 failed attempts
- Lockout duration: 15–30 minutes
- Reset counter after a set time
Why this is important
- Prevents brute-force password attacks
- Stops attackers from guessing passwords repeatedly
Where it is configured
- Local Security Policy
- Group Policy (domain environments)
Exam tip
This control protects against password-guessing attacks.
5. Use Timeout / Screen Lock
What it means
A timeout or screen lock automatically locks the screen after a period of inactivity.
How it works
- User steps away from the computer
- After a set time (for example, 5–15 minutes), the screen locks
- User must re-enter their password to continue
Why this is important
- Prevents unauthorized access to unattended systems
- Protects sensitive data visible on the screen
Common settings
- Screen saver with password protection
- Automatic lock via Group Policy
Exam tip
This is a physical and logical security control.
6. Apply Account Expiration Dates
What it means
An account expiration date automatically disables a user account after a specified date.
When this is used
- Temporary employees
- Contractors
- Interns
- Short-term access requirements
Benefits
- Prevents old accounts from being reused
- Reduces risk of orphaned accounts
- No need to remember to disable accounts manually
Exam tip
Account expiration is a lifecycle management control.
Summary Table (Exam Quick Review)
| Feature | Purpose |
|---|---|
| Restrict user permissions | Limit access to only what is needed |
| Restrict log-in times | Control when users can access systems |
| Disable guest account | Prevent anonymous access |
| Failed attempts lockout | Stop brute-force attacks |
| Timeout / screen lock | Protect unattended computers |
| Account expiration dates | Automatically disable temporary accounts |
Key Exam Takeaways
- Account management is about access control
- Always apply the principle of least privilege
- Disable unused or unnecessary accounts
- Use automated controls (lockouts, timeouts, expiration) whenever possible
- These controls reduce attack surface and human error
