Domain 5 of 5 · Chapter 2 of 4

System Hardening

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • Hardening and the attack surface
  • Configuration management and the baseline
  • Patch management: the update lifecycle
  • Core hardening practices
  • Exam-pattern recognition

The core hardening activities and what each one reduces

ActivityWhat you doWhat it reduces
Least functionalityUninstall unused software, disable unused services and portsAttack surface from features that need not run
Remove default accountsDelete or disable built-in and sample accountsKnown-target accounts an attacker can try
Change default credentialsReplace every factory password with a strong oneEasily guessed, publicly documented logins
Apply a baselineConfigure to an approved hardening standard (e.g. CIS Benchmark)Inconsistent, ad-hoc per-machine settings
Patch managementTest and apply vendor updates on a scheduleOpen, known vulnerabilities flaws fixes exist for
Configuration monitoringCheck running systems against the baselineConfiguration drift away from the secure state

Cheat sheet

  • System hardening shrinks the attack surface by removing what a system does not need
  • Least functionality: provide only the capabilities the system needs, disable the rest
  • Configuration management is the discipline that maintains a secure baseline over time
  • A baseline is the documented, approved reference configuration for a system
  • Adopt an established hardening benchmark instead of inventing your own
  • Configuration drift is divergence from the baseline, and monitoring is the fix
  • Changes to a hardened system flow through change control
  • Patch management is the organized cycle of applying vendor fixes for known flaws
  • Treat patching as scheduled preventive maintenance, not an emergency
  • The patch lifecycle is identify, test, deploy, verify
  • Test a patch in non-production before it touches live systems
  • Verify a patch took effect; deploying is not the same as fixing
  • Phased (ringed) deployment catches a bad patch on a few systems first
  • When you cannot patch, mitigate instead, never ignore the flaw
  • Remove or disable unnecessary services, software, and open ports
  • Remove or disable default and sample accounts
  • Change every default password before a system goes into service
  • Signature-based antivirus only catches malware it already has a signature for
  • Manage devices with encrypted protocols, not cleartext ones

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
  2. https://csrc.nist.gov/glossary/term/baseline_configuration
  3. https://csrc.nist.gov/glossary/term/checklist
  4. https://csrc.nist.gov/pubs/sp/800/40/r4/final