CAS-004 Exam QuestionsBrowse all questions from this exam
Go to Exam

CAS-004 Exam - Question 314

SIMULATION

-

A security engineer needs to review the configurations of several devices on the network to meet the following requirements:

• The PostgreSQL server must only allow connectivity in the 10.1.2.0/24 subnet.

• The SSH daemon on the database server must be configured to listen to port 4022.

• The SSH daemon must only accept connections from a single workstation.

• All host-based firewalls must be disabled on all workstations.

• All devices must have the latest updates from within the past eight days.

• All HDDs must be configured to secure data at rest.

• Cleartext services are not allowed.

• All devices must be hardened when possible.

INSTRUCTIONS

-

Click on the various workstations and network devices to review the posture assessment results. Remediate any possible issues or indicate that no issue is found.

Click on Server A to review output data. Select commands in the appropriate tab to remediate connectivity problems to the PostgreSQL database via SSH.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Show Answer
Correct Answer:

Discussion

17 comments
Sign in to comment
Potato42
Dec 19, 2023

Sharing my answers as well: WAP-A – disable unneeded services (ports 80 and 123 are cleartext), even though HTTP server is set to "disabled". Laptop A – disable unneeded services (why would a laptop listen on port 80?) Laptop B – enable disk encryption, disable unneeded services (ports 80 and 8080) Switch A – change default admin password, enable port security (the switch has 8 enabled interfaces but is connected to only 4 devices), disable unneeded services (port 80) Switch B – enable port security (the switch has 5 enabled interfaces but is connected to only 3 devices), disable unneeded services (port 80) PC-A – disable unneeded services (port 80) PC-B – disable unneeded services (port 80) PC-C – patch management (for browser and OS updates), disable unneeded services, antivirus scan (due to high CPU and RAM usage) Server A – tab 4

ThatGuyOverThere
Nov 3, 2023

My answers... WAP A - No Issue Laptop A - Antivirus scan Laptop B - Enabled Disk Encryption Switch A - Change default administrative password, Enable port security Switch B - No issue PC A - No issue PC B - Antivirus scan PC C - Patch management, Antivirus scan Server A - Option/Tab 4 for commands Antivirus scans are for the systems that have higher than normal resource usage to verify nothing malicious is the cause. I believe when they say no cleartext services, they are not referring to all cleartext traffic but rather literal services running on the device. For instance they make a point to show HTTP server is disabled on some devices. Just because traffic on port 80 is occurring, doesn't mean it's running any cleartext services itself. That's why I have no disable unneeded services for anything. I enabled port security for Switch A because it had unused ports that were not disabled. I just counted the number of connected devices and realized it had more enabled ports that it needed.

nmap_king_22
Nov 4, 2023

that sounds like a solid set of answers. thanks!

Toonce72
Nov 11, 2023

But tab 4 connects the Postgre SQL on 10.1.2.25/32 and instructions say only 10.1.2.0/24

guwno
Jan 8, 2024

10.1.2.25/32 subnet is within 10.1.2.0/24 subnet

Anarckii
Jan 4, 2024

WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services Server A – Tab 4 - only option that is --dport with a single host subnet

Delab202
Jan 14, 2024

Use the answers provided. Just remember to check disable unneeded services for every device from WAP A to PC-C Just use this to remember the ones that require extra check mark. LB- FDE SA-CDA PCC-PM

Uncle_Lucifer
Aug 30, 2023

Why wasn't the default admin password for switch B changed? It is still in default password.

Uncle_Lucifer
Sep 16, 2023

i checked change ADM password in the exam. I couldn't leave it.

b49eb27
Apr 11, 2024

B says "has been changed"

wizwiz
Nov 21, 2023

Why did no one select enable port security for the switches?

Uncle_Lucifer
Aug 30, 2023

why would you need to disable anything in WAP A? Point one thing out based on the directions and requirements provided. There is no issue and reason to disable anything based on the instructions.

Toonce72
Nov 5, 2023

Good point fo the WAP but shouldn't you enable all connectivity settings for it since SSD was disabled? Without it enabled how would wireless devices find it?

nmap_king_22
Nov 7, 2023

thanks Tonnce, goos talking point,

nmap_king_22
Nov 7, 2023

good talking point

Toonce72
Nov 11, 2023

My error. Actually disabling SSID is in fact a good thing because your Wi-Fi network name invisible. Hackers won't see it, well inexperienced because I am sure an experienced hacker would have more than one way to search for Wi-Fi network names. So I think I'm going with no issues on the WAP

Potato42
Dec 19, 2023

The instructions clearly say "Cleartext services are not allowed" - what do you need more? Ports 80 and 123 are unencrypted by default.

b49eb27
Apr 11, 2024

The wap is still using ports 80, 123 and 53. All of those are clear text with other port options for encryption, even 123, a "service" typically refers to a process or application running on a computer system that provides functionality to other systems or users. Services often communicate over well-defined network protocols and use specific ports to facilitate communication.

Uncle_Lucifer
Aug 30, 2023

There is also nothing to disable in Laptop A. I see no issue here again. Can someone tell me why disable unneeded services was selected based on the instructions and criteria provided? I won't even disable screensaver, because it protects your current working screen. If you disable the WAP, password complexity, and disk encryption you will automatically fail.

Alex_2169
Sep 11, 2023

would the correct answer be not to disable it ?

Uncle_Lucifer
Sep 13, 2023

there was nothing to disable in the ones i mentioned but in the exam i took, i choose the answers here. I passed so i guess it doesn't count against you if you select disable unneeded services even when there is nothing to disable based on the criteria in some of the components

nmap_king_22
Nov 4, 2023

I am still confused as to why so many ports are being used with port 80 on the devices. Shouldn't we be applying (disabling unused services) for the majority of these devices? Or would it not matter as it is within the same network? @thatguyoverthere, you had some great, easy-to-read, and clear explanations. Thank you

Toonce72
Nov 4, 2023

Port 80 allows cleartext services. I think this is why you would disable unneeded services for each device. Also for me SSID was disabled on the WAP and that would mean enabling connectivity settings would be needed. At least on my test

b49eb27
Apr 11, 2024

The ssid broadcast does not need to be enabled for devices to connect to it.

guwno
Jan 8, 2024

I disagree with ThatGuyOtherThere. HTTP server is disabled on WAP A and both switches, however endpoint devices can still initate connection over port 80 to the internet, right? So we must disable that option. IMO it should looks like this: WAP A – disable unneeded services Laptop A – disable unneeded services Laptop B – Enable full disk encryption, disable unneeded services (not sure about "patching" as the browser version is 81.2.5 instead 91.2.5 Switch A – Disable unused ports, port security, change default administrative password Switch B – disable unneeded services PC A – disable unneeded services PC B – disable unneeded services PC C – Patch management, disable unneeded services, AV Scan Server A – Tab 4 - only option that is --dport with a single host subnet

guwno
Jan 8, 2024

Discard what I told. My explanation was wrong. However I think that my answer is still adequate. Even if HTTP server is disabled, open port 80 on each device is still unneeded service. Question states that we must disable all unneeded services, port 80 is one of them even that no traffic will go through that port.

b49eb27
Apr 12, 2024

server A, the correct one is tab 4. can rule out the other three tabs just by looking at the first rule. Rule out tab 3:It has an "output" in the command instead of input Rule out tab 2: It's allowing a subnet connection not an ip Rule out tab 1; Since the SSHY daemon is listening on port 4022 we need to use "--dport"(destination)not "--sport"(source). we want the destination port to match against incoming TCP packets in this scenario.

Meep123
Oct 2, 2023

Does the "disable unneeded serviced" account for the clear text ports? 80,8080,21?

Meep123
Oct 2, 2023

Uncle_Lucifer, if what I mentioned above applied, all switches, PCs, and the WPA have cleartext ports open on them. That's probably why its on every one.

Skarakkio
Oct 18, 2023

The correct IPTABLES configuration to select is the one showed in the 4th tab.

e4af987
Apr 2, 2024

Switch B also needs admin password changed

e4af987
Apr 3, 2024

Disregard - I misread

armid
Jul 5, 2024

for the server i would go with tab 4 as it looks like its the closest. One thing that eludes me though is they are -A (appending) the allow rules. So wouldn't that append the rules AFTER the deny rules (chain num 2), effectively not allowing the traffic anyway? Still the other 3 tabs dont make sense

EAlonso
Jul 18, 2024

Question, all the clients (laptops and PC's) have opened the 22,443,123,53, I would like to close all of them. for ssh the port on the client side is dynamic/random, although it will stay the same for the entire SSH session, port 22 is used for an standard ssh server... I guess they don't have a web server (443) and DNS server (53), just clients...