What is a recommended approach to restrict remote administration access on the WAN interface?

• A. Use a VPN for WAN access but keep standard services enabled.
• B. Disable or restrict services accessible from WAN, e.g., /ip service disable www, www-ssl, ssh; or implement firewall rules to allow only trusted sources.
• C. Change the admin password only.
• D. Block all WAN traffic without exception.

Answer: (B)

Restricting remote administration by limiting what can be accessed from the WAN minimizes the attack surface. When management services are reachable from the internet, they become easy targets for automated scans, brute-force attempts, or exploits. The safest approach is to disable those services on the WAN side (for example, turning off www, www-ssl, ssh, and similar management ports) or keep them but enforce strict firewall rules that only allow access from trusted sources or through a secure path like a VPN. This way, you can administer the device remotely, but only through a verified route or from approved IPs, reducing the risk of unauthorized access.

Just changing the admin password helps a bit, but it doesn’t address the exposure of management services themselves. Blocking all WAN traffic would stop remote management entirely, which defeats the need for remote access in legitimate scenarios.