A penetration tester is able to compromise a web server in your company's DMZ. From the web server, he scanned other systems on the network, and compromised an unpatched file server on the private network. In addition to improving patch management, which control would you recommend to prevent the spread of an attack like this in the future?

Block ports other than 80 and 443 for traffic destined to the DMZ where your web server is located.

Restrict traffic from the DMZ to internal hosts and ports required for web applications.

Use a firewall to prevent DMZ systems from initiating outbound connections to the Internet.

Install a router to prevent traffic originating in the DMZ from reaching internal network systems.