Endpoint and Server Hardening
Key Takeaways
- Hardening reduces attack surface by removing unnecessary services, enforcing secure configuration, and patching known weaknesses.
- Secure baselines make systems consistent and auditable across laptops, desktops, and servers.
- Endpoint controls include EDR, host firewall, disk encryption, application control, logging, and least privilege.
- Patch management should prioritize exploitability, exposure, criticality, and business impact.
- Configuration drift must be detected and corrected before it becomes a security gap.
Endpoint and Server Hardening
Secure operations begin with reducing the number of ways a host can be attacked. Hardening is the process of configuring endpoints and servers to run only what is needed, with secure defaults and continuous monitoring.
Hardening Checklist
| Control | Purpose |
|---|---|
| Secure baseline | Defines approved configuration for a system type |
| Patch management | Fixes known vulnerabilities in operating systems and applications |
| Least privilege | Limits user and service account permissions |
| Host firewall | Restricts inbound and outbound traffic at the device |
| EDR | Detects and responds to suspicious endpoint behavior |
| Disk encryption | Protects local data if a device is lost or stolen |
| Application control | Allows approved software and blocks unknown or risky executables |
| Secure boot | Helps prevent unauthorized boot components |
| Logging | Provides evidence for detection, investigation, and compliance |
Server vs Endpoint Focus
| Asset | Main hardening focus |
|---|---|
| User laptop | Disk encryption, EDR, MDM or endpoint management, phishing-resistant settings |
| File server | Share permissions, patching, host firewall, auditing, backup integration |
| Web server | Minimal services, TLS, secure headers, file permissions, WAF integration |
| Domain controller | Restricted admin access, logging, time sync, no extra roles, protected backups |
| Jump host | MFA, session logging, restricted source IPs, no internet browsing |
Patch Prioritization
Patching is risk management. The highest priority is usually a vulnerability that is actively exploited, internet-facing, remotely exploitable, and present on a critical asset.
| Factor | Higher priority example |
|---|---|
| Exploitation | Known active exploitation |
| Exposure | Internet-facing service |
| Asset criticality | Identity server, payment system, clinical system |
| Severity | Critical remote code execution |
| Compensating control | No WAF, segmentation, or access restriction |
Practical Scenario
A small company deploys a new internal file server. A secure build would remove unused roles, apply current patches, join centralized logging, enable host firewall rules only for required file-sharing ports from internal networks, enforce least-privilege share permissions, install EDR, enable backups, use a secure baseline, and document the owner.
Common Exam Traps
| Trap | Better exam reasoning |
|---|---|
| "Disable logging to improve performance." | Logs are required for detection and investigations. |
| "Give users local admin so support tickets decrease." | Least privilege reduces malware and misconfiguration impact. |
| "Patch only by CVSS score." | Exposure, exploitation, and asset criticality also matter. |
| "A baseline is useful only during installation." | Baselines also detect and correct drift. |
Quick Drill
Choose the best control:
- Stop unknown executables from running: application control.
- Investigate suspicious PowerShell activity: EDR and logs.
- Protect a stolen laptop drive: full disk encryption.
- Limit server management to an admin subnet: host firewall and network ACLs.
- Ensure systems stay configured as approved: configuration management and drift detection.
A critical internet-facing server has a remotely exploitable vulnerability that is being actively used in attacks. What should happen first?
Which controls reduce endpoint attack surface? Choose two.
Select all that apply
Which tool is most directly associated with detecting and responding to suspicious behavior on a laptop or server?