A systems administrator is preparing a new rack-mounted virtualization host that will be installed in a co-located data center with restricted physical access. The server will use two 10 GbE adapters for production traffic and its dedicated out-of-band management controller for remote administration. Company policy requires that all unused physical interfaces be disabled in the UEFI/BIOS to minimize the attack surface, while still allowing normal management and network connectivity. Which firmware change BEST meets the policy?
Enable Secure Boot and Trusted Platform Module (TPM) 2.0 support before installing the hypervisor.
Move the internal SSD array to the top of the boot order and disable PXE boot on every NIC.
Disable the embedded baseboard management controller (BMC) interface and leave other onboard devices enabled.
Disable the onboard USB controllers and all unused serial and audio ports.
Disabling the onboard USB controllers plus the unused serial and audio ports removes attack vectors that are not needed for the server's production or management functions, satisfying the hardening requirement without affecting network or BMC access. Disabling the BMC would violate the requirement because the host must remain remotely manageable. Enabling Secure Boot and TPM 2.0 improves platform security but does not turn off unused physical interfaces. Adjusting the boot order and disabling PXE pertains to boot-path security, not to the presence of unused hardware ports; the USB and serial interfaces would still remain active.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the function of a Baseboard Management Controller (BMC)?
Open an interactive chat with Bash
What does out-of-band management mean, and how is it different from in-band management?
Open an interactive chat with Bash
Why does disabling unused physical ports help reduce the attack surface?