CompTIA CySA+ (CS0-003) — Question 294

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Choose two.)

Answer options

• A. Increase the granularity of log-on event auditing on all devices.
• B. Enable host firewall rules to block all outbound traffic to TCP port 3389.
• C. Configure user account lockout after a limited number of failed attempts.
• D. Implement a firewall block for the IP address of the remote system.
• E. Install a third-party remote access tool and disable RDP on all devices.
• F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Correct answer: C, F

Explanation

Configuring user account lockout after a limited number of failed attempts (C) effectively prevents repeated brute-force attempts on the same account by locking it temporarily or permanently after a set number of failures. Blocking inbound traffic to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall (F) further mitigates the risk by preventing unauthorized external access entirely, while the other options either do not address the immediate threat or may create unnecessary complications.