Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?
Limiting backup access to dedicated systems preserves segmentation and protects recovery data from workstation compromise.
Why this answer
Option C is correct because removing direct user access to the backup VLAN and allowing only the dedicated backup path enforces network segmentation, which limits lateral movement. If a workstation in VLAN 10 is compromised, an attacker cannot pivot directly to the backup server in VLAN 30, reducing the blast radius. This aligns with the principle of least privilege and defense-in-depth for backup infrastructure.
Exam trap
The trap here is that candidates may think adding more allow rules (Option A) improves flexibility, but in security architecture, reducing unnecessary access paths is key to minimizing blast radius, not increasing connectivity.
How to eliminate wrong answers
Option A is wrong because adding more allow rules from VLAN 10 to VLAN 30 for SMB and RDP increases the attack surface, allowing a compromised workstation to directly access backup servers, which expands rather than reduces the blast radius. Option B is wrong because moving the backup server into the user VLAN eliminates network segmentation entirely, exposing the backup server to any compromised workstation in the same broadcast domain and defeating the purpose of isolation. Option D is wrong because increasing the DHCP lease time does not affect network access controls or segmentation; it only delays IP address renewal and has no impact on blast radius reduction.