When you detect a security event that is underway, there is only so much you can do to stop it, block its damage, and mitigate the exploited vulnerability immediately. After recovering or rectifying the damage, your next task is to identify the vulnerability and the cause of the exploitation. The cause of common security problems is an area where the Server+ exam places some emphasis, so expect to see questions relating to the topics in the following list.
- Active services: Operating systems all start a group of services when they boot up and these services may start up other services (dependencies). A part of the security procedures on any server should be a periodical audit of the services actively running on it. The services audit should also note which TCP/UDP ports are in use and by which services. More active services can mean more vulnerabilities...
