You are an ethical hacker hired to assess the security of a mid-sized company's internal network. The company has three departments: Sales, Engineering, and HR, each on separate VLANs. The network uses a single firewall with default-deny rules, but inter-VLAN routing is allowed for specific ports (e.g., HR needs to access Sales database on TCP 1433). During reconnaissance, you discover that the Engineering VLAN has a web server running on port 80 that is accessible from all VLANs. You also find that the Sales VLAN has a file share (SMB) on port 445 that is accessible only from HR. The firewall logs show numerous failed SSH attempts from an external IP to the Engineering web server. Which action should you recommend as the most effective immediate step to reduce the attack surface?
This immediately reduces the attack surface by limiting unnecessary access.
Why this answer
Option D is correct because the Engineering web server is unnecessarily exposed to all VLANs, including potentially compromised segments. By restricting access to only the Engineering VLAN, you eliminate the attack surface from the Sales and HR VLANs, which is the most immediate and effective reduction in exposure. This aligns with the principle of least privilege and network segmentation, directly mitigating the risk of lateral movement from other VLANs.
How to eliminate wrong answers
Option A is wrong because implementing a complex password policy does not address the immediate risk of the web server being accessible from all VLANs; it is a general security hygiene measure that does not reduce the current attack surface. Option B is wrong because enabling two-factor authentication on the web server would protect authentication but does not prevent unauthorized network-level access from other VLANs; the server remains reachable and could still be targeted by exploits or reconnaissance. Option C is wrong because applying the latest security patches, while important, does not reduce the attack surface; the server remains exposed to all VLANs, and a zero-day or unpatched vulnerability could still be exploited from any segment.