CAS-002 · Question #327
CAS-002 Question #327: Real Exam Question with Answer & Explanation
The correct answer is D: Place the remote desktop server(s) on a screened subnet, and implement two-factor. Placing RDP servers on a screened subnet with two-factor authentication isolates internal Windows systems from direct remote ingress while maintaining ease-of-use for staff and contractors.
Question
Options
- ADeploy a remote desktop server on your internal LAN, and require an active directory
- BChange remote desktop to a non-standard port, and implement password complexity for the
- CDistribute new IPSec VPN client software to applicable parties. Virtualize remote desktop
- DPlace the remote desktop server(s) on a screened subnet, and implement two-factor
Explanation
Placing RDP servers on a screened subnet with two-factor authentication isolates internal Windows systems from direct remote ingress while maintaining ease-of-use for staff and contractors.
Common mistakes.
- A. Placing an RDP server directly on the internal LAN exposes internal Windows systems to inbound remote desktop traffic, which directly contradicts the risk assessment requirement to limit direct ingress.
- B. Moving RDP to a non-standard port is security through obscurity and provides no meaningful reduction in ingress traffic risk or protection for internal Windows hosts.
- C. An IPSec VPN provides encrypted tunneling but virtualizing RDP without a screened subnet still routes traffic toward internal systems, failing to adequately isolate Windows hosts from direct ingress exposure.
Concept tested. Screened subnet DMZ placement to protect RDP from direct ingress
Reference. https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-network
Community Discussion
No community discussion yet for this question.