A vulnerability assessment identifies that an external-facing server has an outdated TLS version configured. The server supports TLS 1.0 and SSL 3.0. Which of the following is the MOST secure configuration change?
Eliminates all insecure protocols and enables a secure one.
Why this answer
Option C is correct because it disables the insecure SSL 3.0 and TLS 1.0 protocols while enabling TLS 1.2, which is currently the most widely supported secure TLS version. TLS 1.2 provides strong cipher suites and has no known practical vulnerabilities like POODLE (SSL 3.0) or BEAST (TLS 1.0). This configuration balances security with compatibility for modern clients.
Exam trap
Cisco often tests the distinction between 'disabling only the most vulnerable protocol' (Option D) versus 'disabling all insecure protocols and enabling a secure one' (Option C), trapping candidates who forget that TLS 1.0 is also considered deprecated and insecure.
How to eliminate wrong answers
Option A is wrong because upgrading directly to TLS 1.3 may break compatibility with many existing clients and servers that do not yet support TLS 1.3, and the question asks for the 'most secure' change given the current state, not a future-proof upgrade. Option B is wrong because keeping SSL 3.0 enabled leaves the server vulnerable to the POODLE attack (CVE-2014-3566), which allows plaintext recovery from encrypted sessions. Option D is wrong because it only disables SSL 3.0 but does not explicitly disable TLS 1.0, leaving the server vulnerable to the BEAST attack (CVE-2011-3389) and other TLS 1.0 weaknesses.