Hardening Targets
Security hardening techniques for mobile devices, workstations, switches, routers, cloud infrastructure, servers, ICS/SCADA, embedded systems, RTOS, and IoT devices.
Understanding Hardening Targets
Different systems require different hardening approaches based on their function, exposure, and constraints. Hardening reduces the attack surface by disabling unnecessary features, applying security configurations, and implementing protective controls.
Hardening target categories: • Endpoints — Workstations, mobile devices • Servers — Web, database, application servers • Network devices — Switches, routers, firewalls • Specialized systems — ICS/SCADA, IoT, embedded • Cloud infrastructure — VMs, containers, serverless
The 2021 Oldsmar water treatment attack exploited weak remote access security on an ICS system. Attackers briefly increased sodium hydroxide levels to dangerous amounts. Proper hardening—including removing unused remote access and implementing MFA—could have prevented the intrusion.
Every device type has unique hardening requirements based on its role and risks.
Why This Matters for the Exam
Hardening targets are heavily tested on SY0-701 because different systems need different security approaches. Questions cover device-specific hardening and recognizing appropriate controls.
Understanding hardening helps with security architecture, vulnerability management, and compliance. One-size-fits-all hardening doesn't work—each system type has unique considerations.
The exam tests recognition of appropriate hardening techniques for various device types.
Deep Dive
How Do You Harden Workstations?
Workstations are primary attack targets due to user interaction and email/web exposure.
Workstation Hardening:
| Category | Actions |
|---|---|
| OS | Remove unused features, disable unnecessary services |
| Software | Allow-list applications, remove bloatware |
| Accounts | No local admin for users, strong passwords |
| Network | Enable firewall, disable unnecessary protocols |
| Data | Enable encryption (BitLocker/FileVault) |
| Updates | Automatic patching, current antivirus |
Workstation Checklist:
□ Full disk encryption enabled □ Host firewall enabled □ EDR/antivirus installed and current □ Automatic updates configured □ Local admin rights removed from users □ Screen lock timeout configured □ USB restrictions applied □ Browser security settings applied □ Unnecessary software removed
How Do You Harden Servers?
Servers require stricter hardening due to their critical functions and potential exposure.
Server Hardening:
| Category | Actions |
|---|---|
| Services | Disable unused services, minimal installation |
| Accounts | Remove/rename default accounts, service accounts |
| Permissions | Principle of least privilege |
| Logging | Comprehensive audit logging |
| Network | Restrict to required ports only |
| Updates | Tested patching process |
Server Types:
| Server Type | Specific Hardening |
|---|---|
| Web server | Disable directory listing, remove default pages |
| Database | Encrypt data, restrict network access |
| File server | Permission auditing, disable inheritance |
| Domain controller | Physical security, strict access |
How Do You Harden Network Devices?
Switches, routers, and firewalls require specialized hardening.
Switch Hardening:
| Control | Purpose |
|---|---|
| Port security | Limit MAC addresses per port |
| DHCP snooping | Prevent rogue DHCP servers |
| Dynamic ARP inspection | Prevent ARP spoofing |
| Disable unused ports | Reduce attack surface |
| VLAN segmentation | Network isolation |
| Spanning tree protection | Prevent topology attacks |
Router Hardening:
| Control | Purpose |
|---|---|
| Disable unnecessary services | Reduce attack surface |
| Access control lists | Filter traffic |
| Secure management | SSH only, no Telnet |
| Routing protocol auth | Prevent route injection |
| Logging | Track configuration changes |
Network Device Checklist:
□ Change default credentials □ Disable Telnet, use SSH □ Enable logging □ Disable unused ports/services □ Implement access control lists □ Enable port security (switches) □ Configure management VLAN □ Implement authentication for routing protocols
How Do You Harden Cloud Infrastructure?
Cloud hardening spans VMs, containers, and cloud-native services.
Cloud Hardening:
| Layer | Actions |
|---|---|
| Identity | MFA, least privilege, no root keys |
| Network | Security groups, NACLs, private subnets |
| Compute | Hardened images, auto-patching |
| Storage | Encryption, access policies |
| Logging | CloudTrail/activity logs enabled |
Cloud-Specific Considerations:
IaaS: - Harden VMs like on-premises servers - Use cloud-native security groups - Enable cloud provider security tools PaaS: - Secure application configuration - Use managed encryption - Review default settings Serverless: - Least privilege function permissions - Secure environment variables - Monitor function behavior
How Do You Harden ICS/SCADA Systems?
Industrial Control Systems require unique hardening due to operational constraints.
ICS/SCADA Challenges:
| Challenge | Implication |
|---|---|
| Legacy systems | May not support modern security |
| Availability | Downtime not acceptable |
| Patching | Requires vendor approval |
| Real-time requirements | Can't add latency |
| Long lifecycle | 15-20 year systems |
ICS Hardening Approach:
Network segmentation: - Air-gap or firewall from corporate - DMZ for data exchange - No direct internet access Access control: - Physical access restrictions - Multi-factor authentication - Remove unnecessary remote access Monitoring: - Network anomaly detection - Protocol-aware monitoring - Change detection Compensating controls: - When patching isn't possible - Network isolation - Additional monitoring
How Do You Harden IoT and Embedded Devices?
IoT devices have limited security capabilities but significant exposure.
IoT Hardening:
| Control | Implementation |
|---|---|
| Credentials | Change defaults, strong passwords |
| Firmware | Keep updated when possible |
| Network | Isolate on separate VLAN |
| Encryption | Enable if available |
| Unnecessary features | Disable unused services |
IoT Network Architecture:
[Corporate Network]
|
[Firewall]
|
[IoT VLAN] ←── Isolated
|
[IoT Devices]
No direct corporate access
Monitored traffic only
Internet access restrictedEmbedded/RTOS Considerations:
Challenges: - Limited memory for security software - Proprietary operating systems - No patching mechanism - Physical access possible Compensating controls: - Network isolation - Physical security - Monitoring - Firmware validation
How CompTIA Tests This
Example Analysis
Scenario: A manufacturing company has Windows workstations, Windows servers, Cisco switches, AWS cloud infrastructure, and legacy PLCs (Programmable Logic Controllers) on the factory floor. Develop a hardening strategy for each.
Analysis - Multi-Environment Hardening:
Windows Workstations:
Hardening approach: CIS Benchmark Level 1 Key controls: ✓ BitLocker full disk encryption ✓ Windows Firewall enabled ✓ EDR agent installed ✓ Automatic Windows Update ✓ Local admin rights removed ✓ AppLocker for application control ✓ USB device restrictions ✓ 15-minute screen lock timeout
Windows Servers:
Hardening approach: CIS Benchmark + custom controls Key controls: ✓ Server Core where possible (minimal UI) ✓ Only required roles installed ✓ Rename/disable default Administrator ✓ Comprehensive audit logging ✓ Host firewall with explicit rules ✓ Remove unused services ✓ Scheduled patching with testing ✓ No direct internet access
Cisco Switches:
Hardening approach: Cisco security guide + CIS Key controls: ✓ Change default credentials ✓ Disable Telnet, SSH only ✓ Port security (MAC limiting) ✓ DHCP snooping enabled ✓ Dynamic ARP inspection ✓ Disable unused ports ✓ Management VLAN separation ✓ Spanning tree protection (BPDU guard) ✓ AAA authentication (RADIUS)
AWS Cloud Infrastructure:
Hardening approach: CIS AWS Benchmark Key controls: ✓ MFA on all IAM accounts ✓ No root access keys ✓ Security groups deny by default ✓ CloudTrail enabled all regions ✓ S3 bucket encryption default ✓ VPC flow logs enabled ✓ GuardDuty threat detection ✓ Hardened AMIs for EC2 ✓ Secrets Manager for credentials
Legacy PLCs (ICS):
Hardening approach: Compensating controls Key controls: ✓ Network segmentation (separate VLAN) ✓ Firewall between IT and OT ✓ No direct internet access ✓ Remove unused remote access (TeamViewer, etc.) ✓ Physical access controls ✓ Network monitoring/anomaly detection ✓ Documented exception for patching ✓ Vendor engagement for updates ✓ Backup of PLC configurations
Key insight: Each environment requires tailored hardening. Workstations focus on user-facing risks, servers on service security, network devices on infrastructure protection, cloud on identity and configuration, and ICS on isolation and compensating controls where traditional hardening isn't possible.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Hardening by Device - "WSNCI":
- •Workstations = User-facing (EDR, encryption, no admin)
- •Servers = Services (minimal, locked down)
- •Network = Infrastructure (port security, SSH)
- •Cloud = Configuration (IAM, security groups)
- •ICS/IoT = Isolation (segment, monitor)
- •Universal Hardening Steps - "CRUD-L":
- •Change defaults (credentials, settings)
- •Remove unnecessary (services, software)
- •Update/patch systems
- •Disable unused features
- •Log everything
ICS Special Rule: "When you CAN'T patch, you CAN isolate" Network segmentation is the primary ICS control
Network Device Memory: "Switches: Stop at the port" (port security) "Routers: Route only what's allowed" (ACLs)
IoT Rule: "Default credentials = Default breach" Always change IoT defaults
Test Your Knowledge
Q1.Which hardening control is MOST important for IoT devices that cannot be easily updated?
Q2.Which switch security feature prevents rogue DHCP servers on the network?
Q3.A legacy manufacturing system cannot be patched due to vendor constraints. What is the PRIMARY compensating control?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee