5.1.2. Hardening Targets

💡 First Principle: Different computing resources require different hardening approaches based on their function, operating system, and exposure. Hardening is always about reducing attack surface — but "attack surface" looks different for a mobile device than a database server.

Mobile devices — enforce screen locks, encryption, remote wipe capability, application controls, and patch management through MDM (Mobile Device Management). BYOD policies must balance security with employee privacy.

Workstations — disable unnecessary services, apply OS and application patches, enable host-based firewall, restrict administrative privileges to IT staff, configure endpoint detection and response (EDR).

Switches and routers — change default credentials, disable unused ports, enable port security, use SSH (not Telnet), disable unnecessary services (HTTP management, CDP where not needed), apply firmware updates.

Cloud infrastructure — enforce least privilege IAM policies, enable cloud-native logging, configure security groups with deny-by-default rules, enable encryption for storage and databases, scan IaC templates for misconfigurations.

Servers — disable unnecessary services and roles, configure host-based firewalls, restrict remote access, enable audit logging, apply patches on a defined schedule, run only required software.

ICS/SCADA — isolate on dedicated networks, disable unnecessary protocols, implement application allow lists, use unidirectional security gateways where possible, monitor for anomalous commands.

Embedded and RTOS — update firmware when available, disable unused interfaces, implement network-level controls (since device-level controls may be impossible), monitor communication patterns for anomalies.

IoT devices — change default credentials, segment onto dedicated VLANs, disable UPnP and unnecessary services, monitor for unexpected outbound connections, apply firmware updates.

Virtual machines — harden the hypervisor (minimize installed roles, restrict management access), keep VM tools updated, use dedicated virtual switches for security zones, and remove unnecessary virtual hardware (serial ports, USB controllers, floppy drives). Containers — use minimal base images, scan images for vulnerabilities before deployment, run containers as non-root, implement runtime security monitoring, and use read-only file systems where possible.

⚠️ Exam Trap: Different targets have different hardening priorities. For IoT/embedded, you often can't install software on the device — network-level controls (segmentation, monitoring) are the primary defense. For cloud infrastructure, IAM permissions are the most critical hardening target.