A systems administrator is configuring a new rack-mount virtualization host that will be installed in a locked cage at a co-located datacenter. The motherboard provides these onboard interfaces:
Two 10 GbE ports (one will be dedicated to IPMI out-of-band management)
Four 1 GbE RJ-45 ports for guest traffic
Two front USB 3.2 ports for occasional keyboard-video-mouse access
One Thunderbolt/USB4 port that supports direct memory access (DMA)
Company policy states that any interface not required for normal operation must be disabled to reduce the risk of drive-by DMA attacks, but remote power-cycle and console access through IPMI must remain available.
Which firmware-level action BEST satisfies the policy while preserving the required functionality?
Update the baseboard management controller (BMC) firmware to the latest release.
Disable the Thunderbolt/USB4 controller in the UEFI settings.
Configure a strong administrator password for the UEFI setup utility.
Enable Secure Boot and require signed UEFI drivers.
Disabling the Thunderbolt/USB4 controller in UEFI removes a high-speed DMA-capable interface that is not needed for the server's day-to-day operation. Doing so closes a well-documented physical attack vector without affecting Ethernet-based IPMI management or the front-panel USB ports used for local KVM access.
Enabling Secure Boot hardens the boot process but does not eliminate the DMA attack surface posed by the Thunderbolt controller.
Setting a strong UEFI/BIOS password prevents unauthorized firmware changes but leaves the vulnerable port active.
Updating the BMC firmware is good practice for out-of-band management, yet it does nothing to mitigate DMA attacks through Thunderbolt.
Therefore, disabling the unused Thunderbolt/USB4 hardware is the most effective hardware-level hardening step in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a DMA attack?
Open an interactive chat with Bash
What is IPMI and why is it important?
Open an interactive chat with Bash
Why should unused interfaces be disabled in UEFI settings?