A security engineer is hardening a company's multihomed SFTP server. When scanning a public-facing network interface, the engineer finds the following ports are open:
✑ 25
✑ 110
✑ 137
✑ 138
✑ 139
✑ 445
Internal Windows clients are used to transferring files to the server to stage them for customer download as part of the company's distribution process.
Which of the following would be the BEST solution to harden the system?
For hardening the SFTP server, it is best to close unnecessary ports and restrict access to services that should not be publicly accessible. Closing ports 25 (SMTP) and 110 (POP3) is ideal because they are related to email services, which are not needed for SFTP operations. Binding ports 137, 138, 139, and 445 to the internal interface makes sense, as these are associated with Windows networking services (NetBIOS and SMB), which should be accessible only within the internal network. This approach minimizes the attack surface on the public-facing interface while allowing necessary internal services to operate securely.
B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. This option is the best solution to harden the system. By closing ports 25 (SMTP) and 110 (POP3), the engineer eliminates unnecessary email-related services on the SFTP server. Binding ports 137, 138, 139 (NetBIOS and SMB-related services), and 445 (SMB over TCP) to only the internal interface ensures that these services are only accessible internally, reducing the attack surface on the public-facing network interface.
The engineer should close any unnecessary ports, such as port 25 (SMTP) and port 110 (POP3), which are not used by the SFTP server. The SFTP server uses port 22 for secure file transfers, so this port should be left open. The engineer should also bind port 22 to only the internal interface, so that it is not accessible from the public internet. The engineer should also bind ports 137, 138, 139, and 445 to only the internal interface. These ports are used for various networking protocols, such as NetBIOS and SMB, and are not needed for the SFTP server. By binding these ports to only the internal interface, the engineer can further harden the system and prevent external access to these services
Port 22 is not even listed...
SFTP uses 22 and it needs to be seen by the internet (public). "Internal Windows clients transferring files" translates to "we need SMB (445) running" - so 445 needs to be bind to the internal interface. Ports 25 and 110 relates to mail service and we don't need that at all, so close them.
nvm I think i understand why you said B. That is only for internal and your saying that 22 needs to be seen by the public so I understand. You really have to read things closely with comptia.
as they want to test our reading skills (eng 101) too
Close Ports 25 and 110: These ports are not needed for SFTP operations. Closing them reduces the attack surface. Bind Ports 137, 138, 139, and 445 to the Internal Interface: These ports are used for internal Windows file-sharing operations. By binding them only to the internal interface, you ensure they are not exposed to the public-facing network, thus improving security.
A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface. Closing unnecessary ports (110, 138, and 139) reduces the attack surface. Binding essential ports (22, 25, and 137) to the internal interface maintains necessary services for SFTP (22) and potentially other services. B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. Closes some potentially less secure ports but includes binding port 445 (commonly used for Windows SMB) exclusively to the internal interface.
Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Answer is A.
I can see why it is A, this is a staging site, customers do not need to access the site from the front end. Closing the port publicly makes sense. now if it stated that customers directly access this from the outside, I might think it is B.
Developers like to do Staging > Public Download server. since controls for a download server can be in place, like attestation or TLS 1.2\1,3 encryption. SFTP on a public facing interface sounds poor, unless you are already doing SFTP on a secured network.
B: SSH hast to be open at least on the external side and 139/445 (one or both) are needed on the internal side
B is the only option that does not restrict external usage of SFTP making it the only valid answer.