CompTIA SecurityX (CAS-005) — Question 269

A security engineer is reviewing the results of an annual penetration test. The report lists one of the results as "critical severity" on several domain-joined workstations:

SSL/TLS Weak Protocols Supported TLS 1.0, TLS 1.1

Which of the following should the security engineer implement to remediate this finding in the most centralized manner?

Answer options

• A. An SCCM patch to disable weak protocols in the Schannel hive
• B. A GPO to disable weak protocols in the Schannel hive
• C. A PowerShell script to disable weak protocols in the HKLM Schannel hive
• D. A registry script to disable weak protocols in the Schannel hive

Correct answer: B

Explanation

The correct answer is B, as using a Group Policy Object (GPO) allows for centralized management and enforcement of security settings across multiple workstations in a domain. Options A, C, and D provide methods for remediation but lack the centralized control and ease of deployment that a GPO offers.