CompTIA Security+ (SY0-601) — Question 36

An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of initial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be BEST to prevent reinfection from the infection vector?

Answer options

• A. Prevent connections over TFTP from the internal network.
• B. Create a firewall rule that blocks a 22 from the internet to the server.
• C. Disable file sharing over port 445 to the server.
• D. Block port 3389 inbound from untrusted networks.

Correct answer: D

Explanation

The correct answer is D because blocking port 3389, which is used for Remote Desktop Protocol (RDP), prevents unauthorized access to the server, thereby reducing the risk of malware reinfection. Options A, B, and C do not address the specific threat vector of manual logins and remote access that the malware exploits, making them less effective in preventing reinfection.