CompTIA Server+ (SK0-005) — Question 164

The network's IDS is giving multiple alerts that unauthorized traffic from a critical application server is being sent to a known-bad public IP address.
One of the alerts contains the following information:

Exploit Alert -

Attempted User Privilege Gain -
2/2/07-3:09:09 10.1.200.32 --> 208.206.12.9:80

This server application is part of a cluster in which two other servers are also servicing clients. The server administrator has verified the other servers are not sending out traffic to that public IP address. The IP address subnet of the application servers is 10.1.200.0/26. Which of the following should the administrator perform to ensure only authorized traffic is being sent from the application server and downtime is minimized? (Choose two.)

Answer options

• A. Disable all services on the affected application server.
• B. Perform a vulnerability scan on all the servers within the cluster and patch accordingly.
• C. Block access to 208.206.12.9 from all servers on the network.
• D. Change the IP address of all the servers in the cluster to the 208.206.12.0/26 subnet.
• E. Enable GPO to install an antivirus on all the servers and perform a weekly reboot.
• F. Perform an antivirus scan on all servers within the cluster and reboot each server.

Correct answer: B, C

Explanation

The correct answer is B and C because performing a vulnerability scan allows the administrator to identify and address potential weaknesses in the servers, while blocking access to the known-bad IP address mitigates the risk of further unauthorized traffic. Option A is incorrect as disabling services may lead to unnecessary downtime, and D is not viable since changing IP addresses does not address the root cause of unauthorized traffic. Options E and F, while beneficial for security, do not directly address the immediate issue of unauthorized traffic.