Security+ SY0-601: 3.2: Host and Application Security

This entry is part 24 of 47 in the series [ Security+ SY0-601 ]

Chapter 18: Host and Application Security

Endpoint protection



EDR: Endpoint detection and response

DLP: Data Lost Prevention




Next-generation firewall (NGFW)

Host-based firewall





Inline vs. Passive

In-band vs. Out-of-band

Detection and notification vs. detection and prevention


Host-based intrusion prevention system (HIPS)

Host-based intrusion detection system (HIDS)

Network-based vs host-based

False positive

False negative

Boot integrity

Boot security

Unified Extensible Firmware Interface (UEFI)

Measured boot

Boot attestation





Application security

Input validations

Secure cookies

Hypertext Transfer Protocol (HTTP) headers

Code signing

Allow list

Block list/deny list

Secure coding practices

Static code analysis

Manual code review

Dynamic code analysis



Open ports and services


Disk encryption


Patch management

Third-party updates


–> See “Hardening Servers” below for individual services.

Self-encrypting drive (SED)/full-disk encryption (FDE)


Hardware root of trust

Trusted Platform Module (TPM)


Hardening Servers and Services

You are personally responsible for staying current with vulnerabilities. Subscribe to security bulletins such as Shavlik Technologies [[email protected]].

      • Tightly configure ACLs.
      • Delete sample files.
      • Delete sample scripts!
      • Delete unused or obsolete scripts and software.
      • Use IPSec, SSL (port 22, TCP and UDP) or HTTPS to encrypt sensitive traffic.

Web Servers

Web servers (HTTP, port 80, TCP and UDP) should provide only this service.

Web servers should live in a DMZ, not inside a network’s main firewall.

Use HTTPS or Secure HTTP (port 443 TCP) to encrypt sensitive traffic.

Email Servers

E-mail servers should live in a DMZ, not inside a network’s main firewall.

E-mail servers (POP, port 110, SMTP, port 25) should provide only this service.

E-mail system administrators must know what an “open relay” is, and must make sure their server is not an open relay.

Visit and enter the name of your email server, and click “Test for relay” for independent verification.

FTP Servers

Old-fashioned FTP is highly vulnerable because it passes login names and passwords as unencrypted traffic.

Use Passive FTP rather than  the older Active FTP, because Active FTP forces the client to act like a server!

Turn off Anonymous Login unless it is critical to provide it.

Set the ACL to read-only whenever possible.

Limit the number of login attempts.

Limit the number of sessions.

DNS Servers

DNS servers are the most potentially toxic servers on the Internet.

DNS servers update each other through Zone Transfers, which is a major vulnerability.

DNS servers can be attacked by cache poisoning.

      • Prevent this by closing port 53 (used for zone transfers), or
      • Rejecting inbound connections on port 53, or
      • Explicitly designating which servers are trusted to receive zone transfers, or
      • Using DNSSEC for trusted, verified zone transfers.

File and Print Servers

Require authentication for access.

Let users pause or cancel only their own print jobs.

Give users ACL permissions to their own folders and files, but no others.

Whenever possible, allow only read-only access to public folders.

Give read and write access only for group folders.

Be very cautious with execute permissions for folders:

        • In Windows, denying execute will prevent software execution
        • In Linux, denying execute will prevent browsing and listing

DHCP Servers

Disable this service unless you specifically  need it.

Keep DHCP servers patched.

Enable DHCP Snooping to exclude unauthorized DHCP servers.