During a penetration test scoping meeting, a client explains that help-desk staff must occasionally perform emergency system restores after 22:00 but otherwise wants all inbound VPN sessions blocked between 19:00 and 06:00 to reduce the attack surface when no SOC analysts are on duty. Which control should the tester recommend implementing to satisfy these requirements?
Enforce a five-minute idle timeout for all remote VPN sessions
Configure a time-of-day restriction on the VPN with an exception group for emergency access
Require a single-use invitation token for every remote session
Geo-block all source IPs outside the organization's primary country
Applying a time-of-day access policy on the VPN gateway enforces a default deny posture outside documented business hours while providing an exception group that can be temporarily enabled or approved for after-hours maintenance. Geo-blocking limits addresses rather than hours, single-use invitations increase operational overhead without solving the after-hours exposure, and idle-timeout policies only terminate dormant sessions but still allow logons at any time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is setting schedules for remote sessions more effective than geo-restrictions?
Open an interactive chat with Bash
What are some potential challenges with a one-time invitation system for remote access?
Open an interactive chat with Bash
How does disconnecting inactive users differ from restricting access during certain hours?