CompTIA CASP+ (CAS-004) — Question 133

A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP:
✑ Enforce MFA for RDP.
✑ Ensure RDP connections are only allowed with secure ciphers.
The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network-level firewalls or ACLs.
Which of the following should the security architect recommend to meet these requirements?

Answer options

• A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced.
• B. Implement a bastion host with a secure cipher configuration enforced.
• C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP.
• D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.

Correct answer: C

Explanation

The correct answer is C because a remote desktop gateway server can enforce secure ciphers and support MFA through OTP, addressing both requirements effectively. Options A and B do not provide MFA capabilities, while option D restricts access to VPN users, which contradicts the requirement to avoid network-level restrictions.