Exam CAS-004 topic 1 question 98 discussion

B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. This option is the best solution to harden the system. By closing ports 25 (SMTP) and 110 (POP3), the engineer eliminates unnecessary email-related services on the SFTP server. Binding ports 137, 138, 139 (NetBIOS and SMB-related services), and 445 (SMB over TCP) to only the internal interface ensures that these services are only accessible internally, reducing the attack surface on the public-facing network interface.

The engineer should close any unnecessary ports, such as port 25 (SMTP) and port 110 (POP3), which are not used by the SFTP server. The SFTP server uses port 22 for secure file transfers, so this port should be left open. The engineer should also bind port 22 to only the internal interface, so that it is not accessible from the public internet. The engineer should also bind ports 137, 138, 139, and 445 to only the internal interface. These ports are used for various networking protocols, such as NetBIOS and SMB, and are not needed for the SFTP server. By binding these ports to only the internal interface, the engineer can further harden the system and prevent external access to these services

Close Ports 25 and 110: These ports are not needed for SFTP operations. Closing them reduces the attack surface. Bind Ports 137, 138, 139, and 445 to the Internal Interface: These ports are used for internal Windows file-sharing operations. By binding them only to the internal interface, you ensure they are not exposed to the public-facing network, thus improving security.

Port 22 is not even listed...

A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface. Closing unnecessary ports (110, 138, and 139) reduces the attack surface. Binding essential ports (22, 25, and 137) to the internal interface maintains necessary services for SFTP (22) and potentially other services. B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. Closes some potentially less secure ports but includes binding port 445 (commonly used for Windows SMB) exclusively to the internal interface.

Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Answer is A.

I can see why it is A, this is a staging site, customers do not need to access the site from the front end. Closing the port publicly makes sense. now if it stated that customers directly access this from the outside, I might think it is B.

B: SSH hast to be open at least on the external side and 139/445 (one or both) are needed on the internal side

B is the only option that does not restrict external usage of SFTP making it the only valid answer.

SFTP uses 22 and it needs to be seen by the internet (public). "Internal Windows clients transferring files" translates to "we need SMB (445) running" - so 445 needs to be bind to the internal interface. Ports 25 and 110 relates to mail service and we don't need that at all, so close them.