Skip to main content

Security Hardening Reference

Security Baselines

Predefined security configurations used as a foundation for compliance and security across IT systems.

Establish → Deploy → Maintain → Redeploy (drift correction)

Configuration drift — systems diverge from their baseline over time through patches, changes, or misconfigurations. Redeployment corrects this.

Hardening by System Type

Mobile Devices

  • Use a trusted (non-rooted/non-jailbroken) OS
  • Install apps from approved sources only
  • Apply vendor security patches and firmware updates
  • Require authentication + device-level encryption
  • Enable session timeouts and app/data sandboxing

Workstations

  • Install OS and software from approved sources
  • Apply patches and firmware updates
  • Enable drive-level encryption (BitLocker / FileVault)
  • Host-based firewall + antivirus
  • App sandboxing + domain environment enrollment

Servers

  • Same as workstations, plus:
  • Disable unused services and ports
  • Implement role-based access control (RBAC)
  • Log all administrative activity

Routers, Switches & Firewalls

ActionDetail
Change defaultsCredentials, SNMP community strings, banners
VLAN segmentationNo devices on default VLAN 1
Encrypted managementSSHv2, TLS 1.3 only
Disable ICMPPrevent network mapping
Disable legacy protocolsFTP, Telnet, HTTP management
Limit discovery protocolsCDP, LLDP — disable or restrict
Loop preventionSTP, Poison Reverse, Split Horizon

Cloud Infrastructure

  • Identity management with MFA and conditional access
  • Data governance: classification + DLP policies
  • Encrypt data at rest and in transit
  • Disable legacy protocols (TLS 1.0/1.1)
  • Enable auditing and logging on all resources

ICS / SCADA

  • Document all architecture, connection points, and controls
  • Log all access and connection points
  • Remove unnecessary connections and services
  • Implement IDS/IPS
  • Air-gap where possible + physical security

IoT Devices

  • Maintain a single-pane-of-glass inventory of all devices
  • Change all defaults (credentials, ports, services)
  • Apply firmware updates and security patches
  • Enforce authentication, access control, and logging

Embedded Systems & RTOS

  • Apply patches when available; retire if not patchable
  • Air-gap where possible
  • Enable secure boot (UEFI)
  • Disable unnecessary comms and services
  • Principle of least execution privilege for applications

Hardening Checklist

[ ] Default credentials changed
[ ] Unnecessary services disabled
[ ] Firewall rules reviewed and tightened
[ ] Patches and firmware up to date
[ ] Logging and monitoring enabled
[ ] Encryption applied (at rest + in transit)
[ ] Access control configured (MFA, RBAC)
[ ] Baseline documented and stored securely