SY0-501 Question #96: Real Exam Question with Answer & Explanation

Question

A security analyst is hardening a server with the directory services role installed. The analyst must ensure LDAP traffic cannot be monitored or sniffed and maintains compatibility with LDAP clients. Which of the following should the analyst implement to meet these requirements? (Select TWO).

Options

• AGenerate an X 509-complaint certificate that is signed by a trusted CA.
• BInstall and configure an SSH tunnel on the LDAP server.
• CEnsure port 389 is open between the clients and the servers using the communication.
• DEnsure port 636 is open between the clients and the servers using the communication.
• ERemove the LDAP directory service role from the server.

Explanation

To secure LDAP traffic against monitoring/sniffing while maintaining compatibility, the analyst should implement LDAPS (LDAP over SSL/TLS) by using a trusted X.509 certificate and opening port 636 for encrypted LDAP communication.

Common mistakes.

• B. An SSH tunnel is not the standard or recommended method for securing LDAP traffic and would introduce complexity and compatibility issues with standard LDAP clients.
• C. Port 389 is used for unencrypted (plaintext) LDAP traffic, which can be easily monitored and sniffed, directly contradicting the security requirement.
• E. Removing the LDAP directory service role would eliminate the service entirely rather than securing it, failing to meet the requirement of maintaining compatibility with LDAP clients.

Concept tested. Securing LDAP with SSL/TLS (LDAPS) implementation

Reference. https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority

No community discussion yet for this question.