ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 314 discussion

Actual exam question from CompTIA's CAS-004
Question #: 314
Topic #: 1
[All CAS-004 Questions]

SIMULATION
-

A security engineer needs to review the configurations of several devices on the network to meet the following requirements:

• The PostgreSQL server must only allow connectivity in the 10.1.2.0/24 subnet.
• The SSH daemon on the database server must be configured to listen to port 4022.
• The SSH daemon must only accept connections from a single workstation.
• All host-based firewalls must be disabled on all workstations.
• All devices must have the latest updates from within the past eight days.
• All HDDs must be configured to secure data at rest.
• Cleartext services are not allowed.
• All devices must be hardened when possible.


INSTRUCTIONS
-

Click on the various workstations and network devices to review the posture assessment results. Remediate any possible issues or indicate that no issue is found.

Click on Server A to review output data. Select commands in the appropriate tab to remediate connectivity problems to the PostgreSQL database via SSH.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

























Show Suggested Answer Hide Answer
Suggested Answer:
by Uncle_Lucifer at Aug. 30, 2023, 11:28 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Potato42
Highly Voted 1 year, 4 months ago
Sharing my answers as well: WAP-A – disable unneeded services (ports 80 and 123 are cleartext), even though HTTP server is set to "disabled". Laptop A – disable unneeded services (why would a laptop listen on port 80?) Laptop B – enable disk encryption, disable unneeded services (ports 80 and 8080) Switch A – change default admin password, enable port security (the switch has 8 enabled interfaces but is connected to only 4 devices), disable unneeded services (port 80) Switch B – enable port security (the switch has 5 enabled interfaces but is connected to only 3 devices), disable unneeded services (port 80) PC-A – disable unneeded services (port 80) PC-B – disable unneeded services (port 80) PC-C – patch management (for browser and OS updates), disable unneeded services, antivirus scan (due to high CPU and RAM usage) Server A – tab 4
upvoted 13 times
...
EAlonso
Most Recent 9 months, 4 weeks ago
Question, all the clients (laptops and PC's) have opened the 22,443,123,53, I would like to close all of them. for ssh the port on the client side is dynamic/random, although it will stay the same for the entire SSH session, port 22 is used for an standard ssh server... I guess they don't have a web server (443) and DNS server (53), just clients...
upvoted 1 times
...
armid
10 months, 1 week ago
for the server i would go with tab 4 as it looks like its the closest. One thing that eludes me though is they are -A (appending) the allow rules. So wouldn't that append the rules AFTER the deny rules (chain num 2), effectively not allowing the traffic anyway? Still the other 3 tabs dont make sense
upvoted 1 times
...
b49eb27
1 year, 1 month ago
server A, the correct one is tab 4. can rule out the other three tabs just by looking at the first rule. Rule out tab 3:It has an "output" in the command instead of input Rule out tab 2: It's allowing a subnet connection not an ip Rule out tab 1; Since the SSHY daemon is listening on port 4022 we need to use "--dport"(destination)not "--sport"(source). we want the destination port to match against incoming TCP packets in this scenario.
upvoted 2 times
...
e4af987
1 year, 1 month ago
Switch B also needs admin password changed
upvoted 1 times
e4af987
1 year, 1 month ago
Disregard - I misread
upvoted 1 times
...
...
Delab202
1 year, 4 months ago
Use the answers provided. Just remember to check disable unneeded services for every device from WAP A to PC-C Just use this to remember the ones that require extra check mark. LB- FDE SA-CDA PCC-PM
upvoted 4 times
...
guwno
1 year, 4 months ago
I disagree with ThatGuyOtherThere. HTTP server is disabled on WAP A and both switches, however endpoint devices can still initate connection over port 80 to the internet, right? So we must disable that option. IMO it should looks like this: WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services (not sure about "patching" as the browser version is 81.2.5 instead 91.2.5 Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services, AV Scan Server A – Tab 4 - only option that is --dport with a single host subnet
upvoted 2 times
guwno
1 year, 4 months ago
Discard what I told. My explanation was wrong. However I think that my answer is still adequate. Even if HTTP server is disabled, open port 80 on each device is still unneeded service. Question states that we must disable all unneeded services, port 80 is one of them even that no traffic will go through that port.
upvoted 1 times
...
...
Anarckii
1 year, 4 months ago
WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services Server A – Tab 4 - only option that is --dport with a single host subnet
upvoted 4 times
...
wizwiz
1 year, 5 months ago
Why did no one select enable port security for the switches?
upvoted 3 times
...
Toonce72
1 year, 6 months ago
Port 80 allows cleartext services. I think this is why you would disable unneeded services for each device. Also for me SSID was disabled on the WAP and that would mean enabling connectivity settings would be needed. At least on my test
upvoted 2 times
b49eb27
1 year, 1 month ago
The ssid broadcast does not need to be enabled for devices to connect to it.
upvoted 1 times
...
...
nmap_king_22
1 year, 6 months ago
I am still confused as to why so many ports are being used with port 80 on the devices. Shouldn't we be applying (disabling unused services) for the majority of these devices? Or would it not matter as it is within the same network? @thatguyoverthere, you had some great, easy-to-read, and clear explanations. Thank you
upvoted 2 times
...
ThatGuyOverThere
1 year, 6 months ago
My answers... WAP A - No Issue Laptop A - Antivirus scan Laptop B - Enabled Disk Encryption Switch A - Change default administrative password, Enable port security Switch B - No issue PC A - No issue PC B - Antivirus scan PC C - Patch management, Antivirus scan Server A - Option/Tab 4 for commands Antivirus scans are for the systems that have higher than normal resource usage to verify nothing malicious is the cause. I believe when they say no cleartext services, they are not referring to all cleartext traffic but rather literal services running on the device. For instance they make a point to show HTTP server is disabled on some devices. Just because traffic on port 80 is occurring, doesn't mean it's running any cleartext services itself. That's why I have no disable unneeded services for anything. I enabled port security for Switch A because it had unused ports that were not disabled. I just counted the number of connected devices and realized it had more enabled ports that it needed.
upvoted 4 times
Toonce72
1 year, 6 months ago
But tab 4 connects the Postgre SQL on 10.1.2.25/32 and instructions say only 10.1.2.0/24
upvoted 1 times
guwno
1 year, 4 months ago
10.1.2.25/32 subnet is within 10.1.2.0/24 subnet
upvoted 1 times
...
...
nmap_king_22
1 year, 6 months ago
that sounds like a solid set of answers. thanks!
upvoted 1 times
...
...
Skarakkio
1 year, 6 months ago
The correct IPTABLES configuration to select is the one showed in the 4th tab.
upvoted 1 times
...
Meep123
1 year, 7 months ago
Does the "disable unneeded serviced" account for the clear text ports? 80,8080,21?
upvoted 1 times
Meep123
1 year, 7 months ago
Uncle_Lucifer, if what I mentioned above applied, all switches, PCs, and the WPA have cleartext ports open on them. That's probably why its on every one.
upvoted 3 times
...
...
Uncle_Lucifer
1 year, 8 months ago
Why wasn't the default admin password for switch B changed? It is still in default password.
upvoted 3 times
b49eb27
1 year, 1 month ago
B says "has been changed"
upvoted 1 times
...
Uncle_Lucifer
1 year, 7 months ago
i checked change ADM password in the exam. I couldn't leave it.
upvoted 1 times
...
...
Uncle_Lucifer
1 year, 8 months ago
There is also nothing to disable in Laptop A. I see no issue here again. Can someone tell me why disable unneeded services was selected based on the instructions and criteria provided? I won't even disable screensaver, because it protects your current working screen. If you disable the WAP, password complexity, and disk encryption you will automatically fail.
upvoted 2 times
Alex_2169
1 year, 8 months ago
would the correct answer be not to disable it ?
upvoted 1 times
Uncle_Lucifer
1 year, 8 months ago
there was nothing to disable in the ones i mentioned but in the exam i took, i choose the answers here. I passed so i guess it doesn't count against you if you select disable unneeded services even when there is nothing to disable based on the criteria in some of the components
upvoted 7 times
...
...
...
Uncle_Lucifer
1 year, 8 months ago
why would you need to disable anything in WAP A? Point one thing out based on the directions and requirements provided. There is no issue and reason to disable anything based on the instructions.
upvoted 2 times
b49eb27
1 year, 1 month ago
The wap is still using ports 80, 123 and 53. All of those are clear text with other port options for encryption, even 123, a "service" typically refers to a process or application running on a computer system that provides functionality to other systems or users. Services often communicate over well-defined network protocols and use specific ports to facilitate communication.
upvoted 1 times
...
Toonce72
1 year, 6 months ago
Good point fo the WAP but shouldn't you enable all connectivity settings for it since SSD was disabled? Without it enabled how would wireless devices find it?
upvoted 2 times
nmap_king_22
1 year, 6 months ago
thanks Tonnce, goos talking point,
upvoted 1 times
nmap_king_22
1 year, 6 months ago
good talking point
upvoted 1 times
...
...
Toonce72
1 year, 6 months ago
My error. Actually disabling SSID is in fact a good thing because your Wi-Fi network name invisible. Hackers won't see it, well inexperienced because I am sure an experienced hacker would have more than one way to search for Wi-Fi network names. So I think I'm going with no issues on the WAP
upvoted 1 times
...
...
Potato42
1 year, 4 months ago
The instructions clearly say "Cleartext services are not allowed" - what do you need more? Ports 80 and 123 are unencrypted by default.
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago