Question 269 of 1,152
Security OperationshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to place the service behind a reverse proxy or WAF and restrict access with source IP allow lists. This is the best temporary control to reduce risk until a vendor patch is released because it creates a compensating control layer that inspects and filters malicious traffic at the application layer while simultaneously limiting the attack surface to only trusted source IPs. On the Security+ SY0-701 exam, this scenario tests your understanding of risk mitigation strategies when a patch is unavailable—a common trap is choosing to simply disable the service, which eliminates functionality entirely, whereas a reverse proxy or WAF maintains availability while blocking exploits. Remember the memory tip: “Proxy and allow, don’t unplug and bow”—meaning you filter and restrict access rather than taking the service offline.

SY0-701 Security Operations Practice Question

This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Server: HR-APP02
Finding: Outdated OpenSSL library with a critical remotely exploitable weakness
Vendor status: Fix unavailable for 21 days
Exposure: The service must remain online
Current access: host firewall allows TCP 443 from any source
Monitoring: Monthly vulnerability scans only
Available controls: reverse proxy, WAF, IP allow lists, jump host for administration

Based on the exhibit, which temporary control best reduces risk until the patch is released?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit

Server: HR-APP02
Finding: Outdated OpenSSL library with a critical remotely exploitable weakness
Vendor status: Fix unavailable for 21 days
Exposure: The service must remain online
Current access: host firewall allows TCP 443 from any source
Monitoring: Monthly vulnerability scans only
Available controls: reverse proxy, WAF, IP allow lists, jump host for administration

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Place the service behind a reverse proxy or WAF and restrict access with source IP allow lists.

Option B is correct because placing the service behind a reverse proxy or Web Application Firewall (WAF) with source IP allow lists provides a temporary compensating control that reduces the attack surface until the vendor releases a patch. The reverse proxy or WAF can inspect and filter malicious traffic, while IP allow lists restrict access to trusted sources only, mitigating the risk of exploitation without removing the service entirely.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Increase scan frequency to daily and leave the service exposed.

    Why it's wrong here

    More scanning improves visibility, but it does not reduce the attack surface or stop exploitation attempts.

  • Place the service behind a reverse proxy or WAF and restrict access with source IP allow lists.

    Why this is correct

    The service must stay online, but the patch is unavailable, so the best temporary measure is to reduce exposure. A reverse proxy or WAF can filter malicious requests, and source IP allow lists shrink the reachable attack surface. Together, those controls act as an effective compensating measure until the vendor fix is released and can be applied.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Disable TLS so the traffic can be inspected more easily.

    Why it's wrong here

    Disabling TLS would weaken confidentiality and integrity without addressing the vulnerable library in a safe way.

  • Move administrative access to the same 443 listener as user traffic.

    Why it's wrong here

    Combining admin and user access paths increases risk and does not mitigate the vulnerable component.

Common exam traps

Common exam trap: answer the scenario, not the keyword

CompTIA often tests the misconception that increasing monitoring (scan frequency) is a sufficient compensating control, when in fact it does not prevent exploitation—only detection is improved.

Detailed technical explanation

How to think about this question

A reverse proxy or WAF operates at Layer 7 (application layer) and can inspect HTTP/HTTPS payloads for malicious patterns, such as SQL injection or path traversal, using signature-based or behavioral rules. Source IP allow lists leverage ACLs (Access Control Lists) at the network or application layer to drop traffic from untrusted sources before it reaches the vulnerable service, reducing the number of potential attackers. In a real-world scenario, this approach is commonly used for legacy systems that cannot be immediately patched, such as an outdated Apache Struts instance behind an Nginx reverse proxy with mod_security rules.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A developer is choosing between AES-256 (symmetric) and RSA-2048 (asymmetric) for encrypting a large file that will be sent to a partner. Symmetric encryption is fast but requires key exchange; asymmetric is slower but solves the key distribution problem. A hybrid approach — encrypt the file with AES, encrypt the AES key with RSA — is standard. Questions like this test whether you understand when each approach applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Place the service behind a reverse proxy or WAF and restrict access with source IP allow lists. — Option B is correct because placing the service behind a reverse proxy or Web Application Firewall (WAF) with source IP allow lists provides a temporary compensating control that reduces the attack surface until the vendor releases a patch. The reverse proxy or WAF can inspect and filter malicious traffic, while IP allow lists restrict access to trusted sources only, mitigating the risk of exploitation without removing the service entirely.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.