Security+ PBQs: Hardening Windows & Linux Servers

To master Security+ PBQ examples for server hardening, focus on reducing the attack surface by disabling unused ports and services, implementing SSH key-based authentication over passwords, and applying restrictive Group Policy Objects. Success requires applying theoretical knowledge to simulated environments where you must configure specific security controls to meet organizational requirements.

What are the most common server hardening PBQ examples?

Performance-Based Questions (PBQs) are where many candidates stumble because they require you to apply knowledge rather than just recognize a correct answer. In the context of server hardening for the SY0-701, you'll likely encounter scenarios where you must reduce the attack surface of a newly deployed server. This typically involves auditing active services and closing unnecessary ports.

For example, if you're tasked with hardening a web server, you should ensure only ports 80 and 443 are open. If you see Telnet (port 23) or FTP (port 21) running, those are immediate red flags. We recommend practicing the identification of these legacy protocols, as CompTIA loves to test your ability to replace insecure services with secure alternatives like SSH or SFTP. At Cert Sensei, we build these real-world patterns into our 1,000 expert-curated practice questions to ensure you aren't surprised on exam day.

How do you secure remote access in a Linux PBQ?

When you hit a Linux-based PBQ, the focus is almost always on securing the SSH daemon. You'll likely be asked to modify the sshd_config file to prevent unauthorized access. The gold standard here is moving from password-based authentication to SSH key-based authentication. Passwords are vulnerable to brute-force attacks; keys are not.

In a simulation, look for the 'PermitRootLogin' directive and set it to 'no'. Allowing root login via SSH is a massive security hole. Additionally, ensure 'PasswordAuthentication' is set to 'no' once keys are deployed. These small configuration changes are common PBQ requirements. Remember, the goal is to implement the Principle of Least Privilege. If you can achieve the objective without giving a user full root access, that is always the correct path in the eyes of CompTIA.

How should you apply GPOs to harden Windows servers?

Windows hardening PBQs usually center around Group Policy Objects (GPOs). You might be asked to configure a set of policies to secure a domain controller or a member server. Focus on the 'Account Policies' and 'Security Options' sections of the GPO editor. You'll need to implement strong password complexity requirements and account lockout thresholds to thwart password spraying attacks.

Another common task is disabling insecure legacy protocols like LLMNR and NetBIOS over TCP/IP, which are frequently exploited in internal network attacks. When navigating these simulations, be methodical. Identify the specific requirement—such as 'ensure users cannot change their own passwords'—and map it to the correct GPO setting. Using our domain-level tracking at Cert Sensei can help you identify if 'Implementation' is your weak spot, allowing you to drill down into these specific configuration tasks.

What is the best way to manage root and sudo access?

Managing administrative privileges is a core component of the SY0-701 exam. In a Linux PBQ, you may be required to configure the sudoers file. Never give every admin full root access if a more restricted set of permissions will suffice. Use the 'visudo' command to edit the sudoers file, as it performs a syntax check before saving, preventing you from accidentally locking yourself out of the system.

Real-world hardening involves creating specific groups for administrative tasks and assigning sudo privileges to those groups rather than individual users. This makes auditing and offboarding much simpler. If a PBQ asks you to grant a user the ability to restart a service without giving them full root access, you should define a specific command alias in the sudoers file. This level of granularity is exactly what CompTIA is looking for when they grade your hardening skills.

Why is disabling unnecessary services critical for the exam?

Every active service is a potential doorway for an attacker. In a PBQ, you might be presented with a list of running processes and asked to disable those that don't align with the server's role. For instance, a database server doesn't need a print spooler or a web server doesn't need an SMB share active for the public internet.

To tackle these, you should be familiar with common port numbers and the services associated with them. If you see an unknown service listening on a high-numbered port, it's a candidate for disabling. This process of 'minimalist installation' is a key hardening strategy. We emphasize this in our detailed expert reasoning for every answer, helping you understand not just *what* to disable, but *why* it reduces the risk of exploitation.

How can practice exams help you conquer PBQs?

The jump from multiple-choice questions to PBQs can feel like a cliff. The best way to bridge that gap is through high-volume, high-quality practice. You need to see as many variations of these scenarios as possible to develop the intuition required for the exam. When you encounter a PBQ, you aren't just recalling a fact; you're executing a workflow.

By utilizing Cert Sensei's custom quiz builder with domain filtering, you can isolate the 'Implementation' domain and hammer those hardening scenarios until they become second nature. With 1,000 curated questions and performance analytics, you can stop guessing where you stand and start knowing exactly which server hardening tasks you've mastered and which ones still need work. Don't walk into the testing center hoping for the best—walk in knowing you've seen it all.

❓ Frequently Asked Questions