An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:

A.
is configured with an implicit deny rule as the last rule in the rule base.

B.
is installed on an operating system with default settings.

C.
has been configured with rules permitting or denying access to systems or networks.

D.
is configured as a virtual private network (VPN) endpoint.

Explanation:
Default settings are often published and provide an intruder with predictable configuration information, which
allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using
a hardened operating system that has limited functionality, providing only the services necessary to support the
firewall software. Choices A, C and D are normal or best practices for firewall configurations.