How to Secure a New Production VM: Tips for CompTIA Network+ Exam

A development team has been testing a web server on a virtual server to create a web application.

Once satisfied, the development team clones the entire virtual server into production.

The development team needs to use HTTP, HTTPS, and SSH to connect to the new server.

Which of the following should the network administrator do to help secure this new production VM? (Choose two.)

A.

Disable the HTTP port in the host firewall.

B.

Upgrade the firmware on the firewall.

C.

Generate new SSH host keys.

D.

Remove unnecessary testing accounts.

E.

Issue a new self-signed certificate.

CE.

Sure, I'd be happy to provide a detailed explanation!

The scenario described in the question involves a development team that has tested a web server on a virtual machine (VM) and is now cloning the entire VM into production. The development team needs to use HTTP, HTTPS, and SSH to connect to the new server, and the network administrator is being asked to take steps to help secure the new production VM.

Let's go through each of the options presented and explain why they may or may not be appropriate:

A. Disable the HTTP port in the host firewall. This option is not necessary because disabling the HTTP port would prevent users from accessing the web application via the web browser. However, since the web application was already tested in the development environment, it is assumed that HTTP access is required for the production environment.

B. Upgrade the firmware on the firewall. This option is not relevant to the scenario because there is no indication that the firewall is causing any issues or is outdated. Upgrading firmware is typically done to fix bugs, improve performance, or add features. Unless there is a specific reason to upgrade the firmware, this option is not necessary.

C. Generate new SSH host keys. This option is important because SSH host keys are used to verify the identity of a remote server when connecting via SSH. Since the development team cloned the entire virtual server into production, the SSH host keys will be identical to those used in the development environment. This means that anyone who has access to the development environment could potentially use the same keys to access the production environment, which is a security risk. Generating new SSH host keys for the production environment will help ensure that only authorized users can access the server via SSH.

D. Remove unnecessary testing accounts. This option is important because there may be testing accounts that were created in the development environment that are no longer needed in the production environment. Leaving these accounts in place could create security vulnerabilities. By removing unnecessary testing accounts, the network administrator can help reduce the attack surface of the production environment.

E. Issue a new self-signed certificate. This option is important if the web application is being accessed over HTTPS. A self-signed certificate is a certificate that is signed by the same entity that issued it, rather than a trusted third-party certificate authority. While self-signed certificates can provide encryption for HTTPS traffic, they do not provide the same level of trust and verification as a certificate issued by a trusted third-party. If the web application is being accessed by external users, it may be important to issue a new self-signed certificate to help ensure that users trust the website.

In summary, options C and E are the best choices to help secure the new production VM. Generating new SSH host keys will help ensure that only authorized users can access the server via SSH, while issuing a new self-signed certificate will help ensure that users trust the website when accessing it over HTTPS.