Hardening Server with Directory Services Role | SY0-601 Exam Answer

Ensure LDAP Traffic Security and Compatibility | SY0-601 Exam Answer

Prev Question Next Question

Question

A security analyst is hardening a server with the directory services role installed.

The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients.

Which of the following should the analyst implement to meet these requirements? (Choose two.)

Answers

A. Generate an X.509-compliant certificate that is signed by a trusted C.

B. Install and configure an SSH tunnel on the LDAP server.

C. Ensure port 389 is open between the clients and the servers using the communication.

D. Ensure port 636 is open between the clients and the servers using the communication.

E. Remote the LDAP directory service role from the server.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AD.

The security analyst needs to secure LDAP traffic so that it cannot be monitored or sniffed while maintaining compatibility with LDAP clients. To achieve this, the analyst should implement the following two measures:

Generate an X.509-compliant certificate that is signed by a trusted Certificate Authority (CA): LDAP traffic can be secured by encrypting it using SSL/TLS encryption. This encryption requires a server certificate that is signed by a trusted CA. By installing a trusted certificate on the LDAP server, the server can provide clients with the certificate during the SSL/TLS handshake process to establish a secure communication channel. This will ensure that the LDAP traffic is encrypted and cannot be monitored or sniffed.
Ensure port 636 is open between the clients and the servers using the communication: By default, LDAP communication uses port 389. However, when LDAP is configured to use SSL/TLS encryption, it uses port 636 instead. To secure LDAP traffic and maintain compatibility with LDAP clients, the security analyst should ensure that port 636 is open between the clients and the LDAP server. This will allow clients to establish a secure connection to the server using SSL/TLS encryption.

Option B, installing and configuring an SSH tunnel on the LDAP server, is not a viable option since LDAP clients may not support SSH tunneling. This would limit the compatibility of LDAP clients with the LDAP server.

Option C, ensuring port 389 is open between the clients and the server, does not provide any security measures. Since LDAP communication is not encrypted over port 389, it can be monitored or sniffed.

Option E, removing the LDAP directory service role from the server, is not a viable option since this would prevent the LDAP server from functioning altogether.

In conclusion, to secure LDAP traffic and maintain compatibility with LDAP clients, the security analyst should generate an X.509-compliant certificate signed by a trusted CA and ensure that port 636 is open between the clients and the LDAP server.

Prev Question Next Question