CompTIA Exam CS0-003 Topic 3 Question 35 Discussion

Comprehensive Detailed

The nmap scan results show that Telnet (port 23) is open. Telnet transmits data, including credentials, in plaintext, which is insecure and should be disabled to enhance security. Here's an explanation of each option:

A . Disable all protocols that do not use encryption

Disabling unencrypted protocols (such as Telnet) reduces exposure to man-in-the-middle (MITM) attacks and credential sniffing. Telnet should be replaced with a secure protocol like SSH, which provides encryption for transmitted data.

B . Configure client certificates for domain services

While client certificates enhance authentication security, they are more relevant to services like LDAP over SSL (port 636), which is already secure. This would not address the Telnet vulnerability.

C . Ensure that this system is behind a NGFW

A Next-Generation Firewall (NGFW) provides enhanced network security, but it may not mitigate the risks of unencrypted protocols if they are allowed internally.

D . Deploy a publicly trusted root CA for secure websites

Public root CAs are used for website authentication and encryption, relevant only if this system is hosting a publicly accessible HTTPS service. It would not impact Telnet security.

CIS Controls: Recommendations on secure configurations, especially the use of encrypted protocols.

NIST SP 800-47: Security considerations for network protocols, emphasizing encrypted alternatives like SSH over Telnet.