Domain 3: Security ArchitectureDomain 4: Security Operations10 min read

How to Solve Server Hardening PBQs on Security+

Server hardening PBQs test your ability to secure system configurations by applying security baselines, disabling unnecessary services, and reducing the attack surface. This guide teaches you the systematic approach to identifying and fixing insecure configurations.

Try a Free PBQ

Interactive simulation — no account required

What Is a Server Hardening PBQ?

Server hardening PBQs present you with a system configuration and ask you to identify security weaknesses or select the correct hardening actions. You'll analyze settings like running services, open ports, user accounts, and security policies to find vulnerabilities.

These questions test whether you can apply the principle of reducing attack surface. You might be asked to:

  • Identify services that should be disabled on a web server
  • Select accounts that violate security best practices
  • Configure settings to meet a security baseline like CIS or DISA STIG
  • Determine which ports should be closed based on server role
  • Find insecure default configurations that need changing

Reduce the Attack Surface

Every running service, open port, and installed application is a potential attack vector. Hardening means disabling or removing everything that isn't required for the server's specific function. If a web server doesn't need FTP, disable FTP. If it doesn't need a GUI, remove it.

The 5-Step Method for Server Hardening PBQs

Systematically evaluate server configurations using this approach:

1
Identify the server role. What is this server's purpose? Web server, database server, file server, domain controller? The role determines what services and ports are legitimately needed.
2
Audit running services. List every running service and ask: "Does this server need this service to perform its function?" Telnet on a web server? No. SSH on a web server? Probably for administration. FTP? Only if explicitly required.
3
Review open ports. Each open port corresponds to a service. If the service isn't needed, the port shouldn't be open. 80/443 on a web server is expected. 21 (FTP), 23 (Telnet), 3389 (RDP) may not be.
4
Check user accounts. Look for default accounts (admin, guest, administrator) that should be renamed or disabled. Look for service accounts with excessive privileges. Look for accounts that should have been removed.
5
Validate security settings. Password policies, audit logging, encryption settings, firewall rules. Compare against baseline requirements specified in the question.

Hardening by Server Role

Different servers have different legitimate services. Know what each type needs:

Web Server

Needs HTTP/HTTPS. Probably needs SSH for admin. Remove FTP, Telnet, SMB, unnecessary scripting engines.

Ports: 80, 443, 22 (admin only) Remove: GUI, development tools, sample apps

Database Server

Needs database port (3306, 1433, 5432). Should NOT be directly accessible from internet.

Ports: DB port (internal only), 22 (admin) Remove: Web server, FTP, direct internet access

File Server

Needs SMB/CIFS (445) or NFS. Restrict to internal network only.

Ports: 445, 22 (admin) Remove: Web services, database, external access

Domain Controller

Needs AD ports: LDAP, Kerberos, DNS, SMB. Highly sensitive—minimal additional services.

Ports: 53, 88, 389, 445, 636 Remove: Everything else. No web browsing.

Walkthrough: Auditing a Web Server Configuration

A newly deployed web server needs hardening review. The audit reveals several security issues that must be addressed:

Web Server Security Audit
WEB AUDIT

Running Services

Apache (httpd)Port 80, 443
Required
OpenSSH (sshd)Port 22
Required for admin
vsftpd (FTP)Port 21
Disable immediately
TelnetPort 23
Remove — insecure
CUPS (printing)Port 631
Not needed

Open Ports

Port 80 (HTTP)
Required
Port 443 (HTTPS)
Required
Port 22 (SSH)Admin only
Restrict to admin IPs
Port 21 (FTP)
Close
Port 23 (Telnet)
Close

User Accounts

adminDefault account
Rename or disable
root SSH loginPermitRootLogin yes
Disable, use sudo
Service accounts
Properly configured

Configuration

ServerSignatureOn
Disable — reveals version
ServerTokensFull
Set to Prod
Firewall (iptables)
Active
SELinuxEnforcing
Properly configured
4 Critical
4 Warnings
7 Compliant
Audit complete

Analysis

FTP and Telnet must go. FTP transmits credentials in cleartext. Telnet is completely unencrypted. Neither is needed on a web server. Disable the services and close ports 21 and 23.

CUPS is unnecessary. A web server doesn't print. Every unnecessary service is potential attack surface. Remove it.

Default admin account is a target. Attackers know default account names. Rename it to something non-obvious or disable it entirely.

Root SSH is dangerous. If SSH is compromised, the attacker has immediate root access. Disable root login; admins should SSH as regular users and use sudo.

Server signature reveals information. Advertising "Apache 2.4.52" helps attackers find known vulnerabilities. Disable ServerSignature and ServerTokens.

Practice Server Hardening

Audit configurations and identify security weaknesses in interactive scenarios.

Try a Free PBQ

Security Baselines and Frameworks

The exam references several security baseline standards. Know what they are:

CIS Benchmarks — Center for Internet Security provides detailed hardening guides for operating systems, applications, and cloud platforms. Widely used in industry.

DISA STIGs — Defense Information Systems Agency Security Technical Implementation Guides. Required for US government systems. Very detailed and strict.

Microsoft Security Baselines — Recommended Group Policy settings for Windows systems. Good starting point for Windows hardening.

Vendor Hardening Guides — Most software vendors publish security configuration guides. Oracle, Apache, Nginx all have hardening documentation.

When a PBQ mentions "industry standard baseline" or "CIS compliant," it's asking you to apply recognized hardening practices rather than inventing your own.

Universal Hardening Checklist

These actions apply to almost any server:

  • Remove unnecessary software — Uninstall applications, features, and roles not required for the server's function.
  • Disable unnecessary services — Stop and disable services that aren't needed. Set them to "Disabled" so they don't restart.
  • Close unused ports — If a service is disabled, its port should be blocked by the firewall as defense in depth.
  • Rename or disable default accounts — Admin, Administrator, Guest, and root are known targets. Rename to non-obvious names.
  • Enforce strong passwords — Minimum length, complexity, expiration. Apply to all accounts including service accounts.
  • Enable logging and auditing — Log authentication events, privilege use, and configuration changes. Send logs to a central SIEM.
  • Apply patches promptly — Unpatched vulnerabilities are a leading attack vector. Establish a regular patching schedule.
  • Disable unnecessary protocols — SMBv1, TLS 1.0/1.1, SSL 3.0 have known vulnerabilities. Disable legacy protocols.
  • Configure host-based firewall — Even with network firewalls, enable the host firewall as defense in depth.
  • Remove sample applications — Default web server pages, sample databases, and example code often have vulnerabilities.

Common Insecure Defaults

Watch for these frequently misconfigured settings:

Default credentials — Many appliances and applications ship with admin/admin or similar. Always change these.

Open management interfaces — Web consoles, SSH, RDP accessible from anywhere. Restrict to management network.

Verbose error messages — Stack traces and debug info help attackers. Show generic errors to users.

Directory listing enabled — Web servers showing directory contents expose file structure. Disable this.

Unnecessary file permissions — World-writable directories, overly permissive shares. Apply least privilege to file systems.

Unencrypted protocols — HTTP instead of HTTPS, FTP instead of SFTP, Telnet instead of SSH. Always encrypt.

Frequently Asked Questions

What is a server hardening PBQ on the Security+ exam?

A server hardening PBQ presents you with a server configuration (running services, open ports, user accounts, settings) and asks you to identify security weaknesses or select appropriate hardening actions. The goal is to reduce the attack surface by disabling unnecessary features and applying security baselines.

What is attack surface?

Attack surface is the sum of all points where an attacker could potentially enter or extract data from a system. Every running service, open port, user account, and installed application expands the attack surface. Hardening reduces attack surface by eliminating unnecessary components.

What is a security baseline?

A security baseline is a documented set of security configurations that meet minimum security requirements. Organizations like CIS (Center for Internet Security) publish benchmarks for various operating systems and applications. Applying a baseline ensures consistent, known-good security settings.

Why disable services instead of just blocking ports?

Defense in depth. A firewall blocking port 21 stops external FTP access, but if an attacker gains internal access, FTP is still running. Disabling the service means it can't be exploited even if network controls fail. Both measures together provide layered security.

Practice What You've Learned

Apply these concepts with an interactive Server Hardening simulation.