Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 314

SIMULATION

-

A security engineer needs to review the configurations of several devices on the network to meet the following requirements:

• The PostgreSQL server must only allow connectivity in the 10.1.2.0/24 subnet.

• The SSH daemon on the database server must be configured to listen to port 4022.

• The SSH daemon must only accept connections from a single workstation.

• All host-based firewalls must be disabled on all workstations.

• All devices must have the latest updates from within the past eight days.

• All HDDs must be configured to secure data at rest.

• Cleartext services are not allowed.

• All devices must be hardened when possible.

INSTRUCTIONS

-

Click on the various workstations and network devices to review the posture assessment results. Remediate any possible issues or indicate that no issue is found.

Click on Server A to review output data. Select commands in the appropriate tab to remediate connectivity problems to the PostgreSQL database via SSH.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

    Correct Answer:

Discussion
Potato42

Sharing my answers as well: WAP-A – disable unneeded services (ports 80 and 123 are cleartext), even though HTTP server is set to "disabled". Laptop A – disable unneeded services (why would a laptop listen on port 80?) Laptop B – enable disk encryption, disable unneeded services (ports 80 and 8080) Switch A – change default admin password, enable port security (the switch has 8 enabled interfaces but is connected to only 4 devices), disable unneeded services (port 80) Switch B – enable port security (the switch has 5 enabled interfaces but is connected to only 3 devices), disable unneeded services (port 80) PC-A – disable unneeded services (port 80) PC-B – disable unneeded services (port 80) PC-C – patch management (for browser and OS updates), disable unneeded services, antivirus scan (due to high CPU and RAM usage) Server A – tab 4

Delab202

Use the answers provided. Just remember to check disable unneeded services for every device from WAP A to PC-C Just use this to remember the ones that require extra check mark. LB- FDE SA-CDA PCC-PM

Anarckii

WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services Server A – Tab 4 - only option that is --dport with a single host subnet

ThatGuyOverThere

My answers... WAP A - No Issue Laptop A - Antivirus scan Laptop B - Enabled Disk Encryption Switch A - Change default administrative password, Enable port security Switch B - No issue PC A - No issue PC B - Antivirus scan PC C - Patch management, Antivirus scan Server A - Option/Tab 4 for commands Antivirus scans are for the systems that have higher than normal resource usage to verify nothing malicious is the cause. I believe when they say no cleartext services, they are not referring to all cleartext traffic but rather literal services running on the device. For instance they make a point to show HTTP server is disabled on some devices. Just because traffic on port 80 is occurring, doesn't mean it's running any cleartext services itself. That's why I have no disable unneeded services for anything. I enabled port security for Switch A because it had unused ports that were not disabled. I just counted the number of connected devices and realized it had more enabled ports that it needed.

nmap_king_22

that sounds like a solid set of answers. thanks!

Toonce72

But tab 4 connects the Postgre SQL on 10.1.2.25/32 and instructions say only 10.1.2.0/24

guwno

10.1.2.25/32 subnet is within 10.1.2.0/24 subnet

wizwiz

Why did no one select enable port security for the switches?

Uncle_Lucifer

Why wasn't the default admin password for switch B changed? It is still in default password.

Uncle_Lucifer

i checked change ADM password in the exam. I couldn't leave it.

b49eb27

B says "has been changed"

b49eb27

server A, the correct one is tab 4. can rule out the other three tabs just by looking at the first rule. Rule out tab 3:It has an "output" in the command instead of input Rule out tab 2: It's allowing a subnet connection not an ip Rule out tab 1; Since the SSHY daemon is listening on port 4022 we need to use "--dport"(destination)not "--sport"(source). we want the destination port to match against incoming TCP packets in this scenario.

guwno

I disagree with ThatGuyOtherThere. HTTP server is disabled on WAP A and both switches, however endpoint devices can still initate connection over port 80 to the internet, right? So we must disable that option. IMO it should looks like this: WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services (not sure about "patching" as the browser version is 81.2.5 instead 91.2.5 Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services, AV Scan Server A – Tab 4 - only option that is --dport with a single host subnet

guwno

Discard what I told. My explanation was wrong. However I think that my answer is still adequate. Even if HTTP server is disabled, open port 80 on each device is still unneeded service. Question states that we must disable all unneeded services, port 80 is one of them even that no traffic will go through that port.

Toonce72

Port 80 allows cleartext services. I think this is why you would disable unneeded services for each device. Also for me SSID was disabled on the WAP and that would mean enabling connectivity settings would be needed. At least on my test

b49eb27

The ssid broadcast does not need to be enabled for devices to connect to it.

nmap_king_22

I am still confused as to why so many ports are being used with port 80 on the devices. Shouldn't we be applying (disabling unused services) for the majority of these devices? Or would it not matter as it is within the same network? @thatguyoverthere, you had some great, easy-to-read, and clear explanations. Thank you

Uncle_Lucifer

There is also nothing to disable in Laptop A. I see no issue here again. Can someone tell me why disable unneeded services was selected based on the instructions and criteria provided? I won't even disable screensaver, because it protects your current working screen. If you disable the WAP, password complexity, and disk encryption you will automatically fail.

Alex_2169

would the correct answer be not to disable it ?

Uncle_Lucifer

there was nothing to disable in the ones i mentioned but in the exam i took, i choose the answers here. I passed so i guess it doesn't count against you if you select disable unneeded services even when there is nothing to disable based on the criteria in some of the components

Uncle_Lucifer

why would you need to disable anything in WAP A? Point one thing out based on the directions and requirements provided. There is no issue and reason to disable anything based on the instructions.

Toonce72

Good point fo the WAP but shouldn't you enable all connectivity settings for it since SSD was disabled? Without it enabled how would wireless devices find it?

nmap_king_22

thanks Tonnce, goos talking point,

nmap_king_22

good talking point

Toonce72

My error. Actually disabling SSID is in fact a good thing because your Wi-Fi network name invisible. Hackers won't see it, well inexperienced because I am sure an experienced hacker would have more than one way to search for Wi-Fi network names. So I think I'm going with no issues on the WAP

Potato42

The instructions clearly say "Cleartext services are not allowed" - what do you need more? Ports 80 and 123 are unencrypted by default.

b49eb27

The wap is still using ports 80, 123 and 53. All of those are clear text with other port options for encryption, even 123, a "service" typically refers to a process or application running on a computer system that provides functionality to other systems or users. Services often communicate over well-defined network protocols and use specific ports to facilitate communication.

EAlonso

Question, all the clients (laptops and PC's) have opened the 22,443,123,53, I would like to close all of them. for ssh the port on the client side is dynamic/random, although it will stay the same for the entire SSH session, port 22 is used for an standard ssh server... I guess they don't have a web server (443) and DNS server (53), just clients...

armid

for the server i would go with tab 4 as it looks like its the closest. One thing that eludes me though is they are -A (appending) the allow rules. So wouldn't that append the rules AFTER the deny rules (chain num 2), effectively not allowing the traffic anyway? Still the other 3 tabs dont make sense

e4af987

Switch B also needs admin password changed

e4af987

Disregard - I misread

Skarakkio

The correct IPTABLES configuration to select is the one showed in the 4th tab.

Meep123

Does the "disable unneeded serviced" account for the clear text ports? 80,8080,21?

Meep123

Uncle_Lucifer, if what I mentioned above applied, all switches, PCs, and the WPA have cleartext ports open on them. That's probably why its on every one.