Exam CS0-002 topic 1 question 167 discussion

DNS i out & telnet is out!

D. is obvious. A. DNS service needs to be enabled if the machine is performing the DNS role. The DNS server should be separate from the web server. If the machine needs to resolve DNS it can reach out to the other machine that performs that role. Moving SSH to a non-standard port is "security by obscurity" which is not security. It will still show up on port scans, and they will find it. A web server must have 80 and 443 open.

I will go with AD because: -DNS server and a web server can run on the same machine, but it is recommended to separate them for security, performance, and scalability reasons. -Removing telnet is a given.

DNS (Domain Name System) information is not typically stored on a web server. DNS is a distributed system that translates human-readable domain names (like www.example.com) into IP addresses (like 192.168.1.1) that computers use to identify each other on the internet.

The best answer is: D & F Option D is a good choice because it will help prevent unauthorized access to the server by disabling an unencrypted protocol. Option F is also a good choice because changing the default port for SSH from 22 to a non-standard port will make it harder for attackers to identify and target the SSH service. This will add an extra layer of security to the server. Option A is wrong since DNS is required for the server to be accessible via a domain name “server needs to be accessible when entering www.company.com into the browser”. Option B is not relevant. Option C is also wrong because changing the server's IP to a private IP address will make it inaccessible via a public domain name. Option E is not the best option since it will make the web server inaccessible via HTTP, which is required for the server to function as a web server (also option F is better)

Disabling the Telnet service would harden the server by removing an insecure protocol that transmits data in cleartext and could allow unauthorized access to the server. Changing the SSH port to a non-standard port would harden the server by reducing the exposure to brute-force attacks or port scans that target the default SSH port (22). Uninstalling the DNS service, performing a vulnerability scan, changing the server’s IP to a private IP address, or blocking port 80 with the host-based firewall would not harden the server or could affect its functionality as a web server. Reference: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

The line "The server needs to be accessible when entering www.company.com into the browser" means You do need DNS(Port) 53 open. So I am leaning towards Telnet (Port 23) is out and HTTP is out (Port 80).

I agree that you do not need telnet for a web server. However the question says that you need to be able to type in "www.company.com" to gain access. I'm pretty sure uninstalling the DNS service would make that impossible. Changing SSH's port is good but I think getting rid of HTTP would be better since it's the unsecure version of HTTPS and you already have that so it seems redundant.

I really can't understand what is in the minds of some... It is a web server!!! If you closed port 53 on a webhost, it could potentially cause issues with the webhost's DNS resolution. Port 53 is used for DNS queries and responses, which are necessary for a web server to resolve domain names into IP addresses. If the webhost cannot resolve domain names, it may not be able to properly serve web pages or applications.

Web Server does not need the DNS role installed and with SSH already installed why would you keep Telnet. AD

My view is; he/she must research DNS service, HTTP port and SSH version. Why dont select B? Please discuss me. I going with B D

It's A and D. You don't need DNS running on a web server. Other servers will provide the entries for that server to be found.

Should be A & D

DNS has no place on a web server, it is not inherently secure. Removing telnet is a given. Port 80 is not unsecure unless you leave it so

Its defineitely DF yall are doing it wrong lmao.. do your research.. there's nothing wrong with having port 80 open if its configured properly with security... port 22 should be changed because it is a common practice. it protects again attacks such as brute force and also it will cause a threat to do some digging if they were to try to find it which would through some flags..

A host based firewall would allow you to block http since you have https which is more secure. I think Blocking DNS wouldn't allow someone to type www.company.com, they would have to type the IP address of the web server. And making the web server private IP would only make it accessible in the internal network

DE disable port 23 telnet. Disable port80, it's a finance server so it has to be secure https