A systems administrator has deployed a new server using a standard corporate OS image that will be used as a dedicated file server. Before connecting the server to the production network, the administrator must perform initial OS hardening tasks to reduce its attack surface. Which of the following sets of actions BEST addresses this requirement?
Configure role-based access controls for file shares, enforce a strict password lockout policy, and set up auditing for all user login events.
Set a UEFI/BIOS password, disable unused physical USB ports, and configure a secure boot order that prioritizes the internal storage.
Apply the latest OS security patches, configure the host-based firewall to block unnecessary ports, and disable services that are not required for the file server role.
Install antivirus/anti-malware software, create a baseline system backup, and enable multifactor authentication for all administrative accounts.
The correct answer involves applying the latest OS security patches, disabling unnecessary services, and configuring the host-based firewall. These three actions are core principles of OS hardening. Applying patches fixes known vulnerabilities. Disabling unneeded services reduces the number of running processes that could be exploited. Configuring the host-based firewall to block unnecessary ports limits the network-accessible entry points for an attacker. The other options, while containing valid security tasks, are not the most effective initial steps for OS hardening. Setting UEFI/BIOS passwords and disabling physical ports are forms of hardware hardening. Configuring access controls and password policies falls under identity and access management. Installing antivirus is a host security measure, but creating backups and configuring MFA are separate processes from initial OS hardening.