CompTIA Security+ (SY0-501) — Question 838

A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Choose two.)

Answer options

• A. Generate an X.509-compliant certificate that is signed by a trusted CA.
• B. Install and configure an SSH tunnel on the LDAP server.
• C. Ensure port 389 is open between the clients and the servers using the communication.
• D. Ensure port 636 is open between the clients and the servers using the communication.
• E. Remote the LDAP directory service role from the server.

Correct answer: A, D

Explanation

Generating an X.509-compliant certificate signed by a trusted CA (option A) is necessary to establish secure communication using LDAPS, while ensuring that port 636 is open (option D) allows this secure LDAP communication to occur. Options B and C are incorrect as SSH tunneling is not a standard practice for LDAP security, and port 389 is used for unencrypted LDAP traffic, which does not meet the requirement to prevent monitoring.