Secure Baselines & Hardening Computing Resources
Establish, deploy, and maintain a known-good configuration — across workstations, servers, mobile, wireless, cloud, and applications — so every asset starts hardened and stays that way.
Hardening is how a security team turns “default” into “defensible.” Every asset ships with a manufacturer baseline tuned for convenience: open services, default credentials, verbose protocols, unused features enabled. Your job is to replace that with a secure baseline — a published, enforceable configuration that removes what you do not need and locks down what you do. The three verbs the exam tests are establish, deploy, and maintain: define the standard (CIS Benchmarks, DISA STIGs, vendor guides), push it at scale (GPO, Intune, Ansible, SCCM, Systems Manager), and monitor for drift.
The second pattern is hardening by asset class: a wireless access point is hardened differently from an ICS PLC, which is hardened differently from a cloud VM. Security+ tests whether you can match the technique to the asset: MAC-limits and port security on a switch; MDM containerization on a BYOD phone; WPA3-Enterprise and EAP-TLS on Wi-Fi; input validation and SAST in an application pipeline. Each asset class has a small canonical set of controls — memorize the set, then the scenario answers come quickly.
Secure baselines — the lifecycle. A baseline is the documented configuration that represents known-good for a given asset class. The lifecycle has three phases: establish (author the standard, typically starting from CIS Benchmarks, DISA STIGs, or the vendor hardening guide, then adapting for your environment), deploy (push the baseline at scale via Group Policy for Windows, Intune or Jamf for endpoints, Ansible/Puppet/Chef/DSC for servers, AWS Systems Manager/Azure Policy for cloud), and maintain (continuous compliance monitoring, remediate drift, version the baseline as new CVEs and guidance emerge).
Hardening targets — one canonical set of controls per asset class.
- Mobile devices — full-disk encryption, biometric auth, MDM enrollment, screen lock, app allow-list, remote wipe capability.
- Workstations — full-disk encryption (BitLocker, FileVault), host firewall, EDR agent, patch cadence, restricted local admin, USB/removable-media controls.
- Switches — disable unused ports, port security (MAC address limits), BPDU guard, DHCP snooping, encrypted management (SSH, HTTPS), separate management VLAN.
- Routers — disable HTTP management in favor of SSH/HTTPS, use SNMPv3 with strong auth, apply egress and ingress ACLs, centralize logging to a syslog collector.
- Cloud infrastructure — IAM least privilege, service-control policies, centralized logging (CloudTrail, Activity Log, Audit Logs), KMS-managed keys, CIS AWS/Azure Foundations Benchmarks.
- Servers — minimize installed services, SELinux/AppArmor enforcing, patch cadence, SSH hardening (no root login, key-based auth, non-default port optional), host-based IDS/EDR.
- ICS/SCADA — aggressive network segmentation, unidirectional gateways (data diodes) where possible, long patch windows accepted, compensating monitoring.
- Embedded systems — firmware updates where available; isolate where not; validate supply-chain integrity.
- RTOS — minimal attack surface by design; focus on supply chain and signed firmware.
- IoT — change default credentials, disable UPnP, isolate on a dedicated VLAN, monitor for anomalous outbound traffic.
Wireless devices — installation considerations. Hardening starts before the AP goes on the wall. A site survey identifies coverage gaps, rogue access points, and interference sources. A heat map visualizes signal strength and guides AP placement so you cover the floor without leaking signal into the parking lot. Power tuning limits the signal boundary to the physical perimeter. Frequency planning across 2.4, 5, and 6 GHz (Wi-Fi 6E) reduces contention. An AP radiating far beyond the building is an invitation to an attacker in the parking lot.
Mobile solutions — MDM and deployment models. MDM is the management plane: enrollment, policy push, remote wipe, compliance enforcement. Three deployment models with different privacy and control tradeoffs: BYOD (employee-owned device; containerization to separate corporate and personal data), COPE (company-owned, personally enabled; company controls the device but allows personal use), CYOD (user picks from an approved list; company-owned). Connection methods the exam touches: cellular (4G/5G, carrier-controlled), Wi-Fi (enterprise SSID with 802.1X, guest isolation), Bluetooth (pairing risks, BLE attacks).
Wireless security settings. WPA3 is the current standard, with SAE replacing the WPA2 PSK handshake to resist offline dictionary attacks. Enterprise uses 802.1X + RADIUS (AAA) for per-user authentication. The strongest EAP method is EAP-TLS (certificate-based, mutual authentication); PEAP and EAP-TTLS are alternatives when client-cert deployment is impractical. WPA3-Enterprise uses GCMP-256 for encryption; WPA2-Enterprise uses AES-CCMP.
Application security hardening. Input validation rejects or sanitizes untrusted input — the first line against injection, XSS, and path traversal. Secure cookies use the Secure, HttpOnly, and SameSite flags. Static code analysis (SAST) scans source for known vulnerable patterns; dynamic code analysis (DAST) tests the running application with fuzzing and automated probing. Code signing applies a cryptographic signature to binaries and scripts so consumers can verify authenticity and integrity before execution. Sandboxing isolates untrusted execution (browser sandboxes, email-attachment detonation, malware analysis VMs) — different from hardening: hardening reduces attack surface, sandboxing contains potential harm.
Monitoring the result. Hardening is not a one-shot event; drift is constant. Pair every baseline with continuous monitoring: endpoint telemetry (EDR), network telemetry (NetFlow, IDS), identity telemetry (auth logs) feeding a SIEM or XDR so you detect when a device deviates from the baseline.
| Asset | Core Hardening Controls | Common Gotcha |
|---|---|---|
| Mobile | FDE, biometric, MDM enrollment, screen lock, remote wipe | BYOD privacy — containerize instead of full-device wipe |
| Workstation | FDE, host firewall, EDR, patch cadence, limited local admin | Local admin on every user creates lateral-movement surface |
| Switch | Port security (MAC limits), BPDU guard, SSH mgmt, unused ports disabled | HTTP/Telnet mgmt left enabled by default |
| Router | SSH/HTTPS mgmt, SNMPv3, ACLs, syslog, NTP | Default SNMP community strings (“public”/”private”) |
| Server | Min services, SELinux/AppArmor, SSH keys only, patching, HIDS/EDR | Root login over SSH or password auth still allowed |
| Cloud | IAM least privilege, logging, KMS, CIS benchmark, Config/Policy guardrails | Wildcard IAM policies and open security groups |
| ICS/SCADA | Segmentation, unidirectional gateway, compensating monitoring | Inline IPS that blocks legitimate OT traffic |
| IoT | Change defaults, dedicated VLAN, disable UPnP, monitor egress | Default admin/admin creds shipped from the factory |
| Wireless | WPA3, 802.1X + RADIUS, EAP-TLS, signal tuning, rogue-AP scanning | Open or WEP/WPA2-PSK on a corporate SSID |
| Application | Input validation, SAST+DAST in CI, code signing, secure cookies | Dev-only validation bypassed in production |
| MDM Model | Ownership | Privacy Trade | Exam cue |
|---|---|---|---|
| BYOD | User | High — user owns personal data | “Employees use personal phones” → containerization |
| COPE | Company | Medium — personal use permitted | “Provides phones, allows limited personal use” |
| CYOD | Company | Medium — user picks model | “Pick from approved list” |
| Corporate-owned | Company | Low — work only | “Locked-down kiosk / field devices” |
Two rules run 4.1: (1) every asset class has a canonical hardening checklist — match the control to the asset, and (2) baselines must be enforced and monitored for drift, not just written. “We have a policy” is not hardening; a GPO, an Intune profile, or an Ansible role is.
A mid-sized law firm (180 attorneys, 220 staff) has green-lit a BYOD program so attorneys can use their personal iPhones and Android devices for email, calendar, case-management, and document review. The IT Manager wants a frictionless rollout with “just enable Exchange ActiveSync and have everyone accept a policy.” The Security Engineer pushes back — client files fall under bar-association confidentiality rules, and a lost phone with unprotected mail is a disclosure event. The managing partner wants a decision before Monday.
BYOD at a Law Firm — Privileged Client Data
Law firm · 400 users · bar-confidentiality obligationsWhere you cannot fully control the device, you control the container. BYOD is the archetypal case: the employer does not own the hardware, so hardening shifts from the device to the managed workspace. The canonical pattern: MDM enrollment + corporate container + FDE + lock + remote wipe (container-only) + EAP-TLS Wi-Fi join. Do not confuse this with full MDM on a corporate-owned device — the exam distinguishes ownership models carefully.
BYOD rollouts are half security and half labor/privacy law. The IT Manager’s concern about wiping personal photos is correct, and the container model exists specifically to solve it. When you defend a BYOD design, lead with the split of responsibilities and the legal protections the design creates — not just the controls.
On the exam: “BYOD” + “personal privacy” → MDM with containerization + selective wipe. If the question says corporate-owned, the answer is full MDM policy.
A 600-person engineering firm is rebuilding corporate Wi-Fi. Client devices are modern (laptops issued in the last three years, all employees have phones that support WPA3). The IT lead wants to minimize deployment effort; the security team wants the strongest practical setting. Which is the better production design?
WPA2-PSK with a rotating shared passphrase
One SSID, one shared password, rotate quarterly. Simple to deploy and document.
WPA3-Enterprise with 802.1X + EAP-TLS
Per-user authentication via RADIUS, client certificates for identity, GCMP-256 for encryption.
Option B fits better — WPA3-Enterprise with EAP-TLS is the Security+ reference architecture
Option B: A shared passphrase means any one employee leaving (or any one compromised device) forces a firm-wide password change. WPA3-Enterprise with 802.1X + EAP-TLS gives per-user, per-device authentication; certificates revoke cleanly via the CA; GCMP-256 is the current crypto. With modern clients, the deployment burden is real but one-time — and afterwards, onboarding/offboarding is a cert issue/revoke action, not a scramble.
Option A’s kernel of truth: WPA2-PSK is simple, works everywhere, and is fine for a guest SSID or a very small network. It is not appropriate for production corporate Wi-Fi when modern clients exist.
On the exam: “strongest” + “enterprise” + “modern clients” → WPA3-Enterprise + EAP-TLS. Pick WPA2 only when the question specifies legacy constraints.
4.1 questions test two patterns: (1) match the hardening technique to the asset class (switch → port security; phone → MDM; AP → WPA3-Enterprise + EAP-TLS; web app → input validation + SAST/DAST), and (2) secure baseline lifecycle — establish, deploy (enforce), maintain (monitor drift). Trap answers conflate policy with enforcement, or pick a legacy standard when a modern one is available.
- A Require a four-digit PIN only
- B Enroll in MDM with full-disk encryption, biometric unlock, screen-lock policy, and remote-wipe capability
- C Place the phones on a guest Wi-Fi SSID
- D Ban any non-email apps from being installed
Correct: B. Corporate-owned mobile hardening is a canonical control bundle: MDM enrollment, FDE, biometric or strong unlock, screen-lock, and remote-wipe. This combination covers device loss (FDE + remote wipe), unauthorized access (lock + biometric), and compliance enforcement (MDM).
A wrong: PIN alone is not sufficient for PII devices.
C wrong: Wi-Fi placement is unrelated to device hardening for loss/theft.
D wrong: Useful as a policy but insufficient on its own.
Source: CompTIA SY0-701 Objectives v5.0 — 4.1 Apply common security techniques to computing resources
- A Install an EDR agent on the sensor
- B Change default credentials, disable UPnP, place on a dedicated IoT VLAN with egress restrictions
- C Expose the sensor’s management interface to the internet for remote support
- D Trust the device because it is from a major vendor
Correct: B. IoT hardening is almost always isolation + basic hygiene: change defaults, disable unnecessary features, segment the device, and monitor egress for anomalies.
A wrong: IoT devices typically cannot host EDR agents.
C wrong: Exposing mgmt interfaces to the internet is the opposite of hardening.
D wrong: Vendor reputation is not a control.
Source: CompTIA SY0-701 Objectives v5.0 — 4.1
- A Deploy a WAF and forget the rest
- B Add input validation, static application security testing (SAST), dependency scanning, and code signing to the CI pipeline
- C Rely on QA manual testing only
- D Enable server-side output sanitization only
Correct: B. Build-time application hardening combines input validation (design), SAST (pattern scanning of source), dependency scanning (third-party vulnerabilities), and code signing (integrity). WAFs are runtime controls, not build-time hardening.
A wrong: A WAF is helpful but is runtime-only.
C wrong: Manual QA cannot catch the patterns SAST finds at scale.
D wrong: Output sanitization alone is insufficient.
Source: CompTIA SY0-701 Objectives v5.0 — 4.1