Unused switch ports should not remain active in the default VLAN. The proper hardening approach is to administratively shut them down and move them into an unused access VLAN, often called a parking, black-hole, or unused VLAN. Shutting the port stops an attacker from plugging in and immediately gaining Layer 2 connectivity. Moving the port out of VLAN 1 reduces the impact if someone later enables the port accidentally. EtherChannel is irrelevant because it aggregates links; it does not protect idle user-facing ports. Trunking unused ports is actively dangerous because it could expose multiple VLANs. CDP can disclose device information and is not a protection method for unused ports. Cisco CCNA v1.1 Network Access and Security Fundamentals overlap here: secure access-layer design includes disabling unused interfaces, avoiding the default VLAN for user access, and limiting unintended Layer 2 exposure. Therefore, B and C are the correct operational steps.