An IS auditor is reviewing a software-based firewall configuration. Which of the following
represents the GREATEST vulnerability? The firewall software:

A.
is configured with an implicit deny rule as the last rule in the rule base.

B.
is installed on an operating system with default settings.

C.
has been configured with rules permitting or denying access to systems or networks.

D.
is configured as a virtual private network (VPN) endpoint.

Explanation:
Default settings are often published and provide an intruder with predictable configuration
information, which allows easier system compromise. To mitigate this risk, firewall software should
be installed on a system using a hardened operating system that has limited functionality, providing
only the services necessary to support the firewall software. Choices A, C and D are normal or best
practices for firewall configurations.