A company has just completed a security audit and received initial results from the auditor. The results show that the ethical hacker was able to gain access to the company servers by exploiting non-hardened VMs and hosts as guests and administrators. Which of the following should be implemented to harden the environment? (Select TWO).

A.
Discretionary access controls

B.
Disable unnecessary accounts

C.
Change default passwords

D.
Install antivirus software

E.
Role-based access controls