Endpoint and Server Hardening
Key Takeaways
- Hardening reduces attack surface by disabling unneeded services and ports, enforcing a secure baseline, and patching exploitable weaknesses.
- On SY0-701, Domain 2 (Threats) and Domain 4 (Operations) both test hardening, so know the techniques as both defenses and exam answers.
- Endpoint controls map to objective 4.5: EDR/XDR, HIPS, host firewall, FDE, application allow-listing, secure boot/TPM, and centralized logging.
- Patch prioritization weighs active exploitation, internet exposure, asset criticality, and CVSS severity together, not CVSS alone.
- Configuration drift must be detected and corrected; a baseline is a continuous control, not a one-time install step.
Why Hardening Anchors Domain 4
Domain 4, Security Operations, is the largest section of the CompTIA Security+ SY0-701 exam at roughly 28 percent of scored content, and hardening (objective 4.5) appears constantly. Hardening is the deliberate configuration of a host so it runs only what is needed, with secure defaults, monitoring, and a documented approved state. The exam frames it as attack surface reduction: every open port, default account, unused service, or unpatched binary is a path an attacker can use.
A secure baseline is the approved configuration for a system type, typically derived from a benchmark such as the Center for Internet Security (CIS) Benchmarks or a Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). The baseline is established, deployed, then maintained against drift.
Core Endpoint Controls (Objective 4.5)
| Control | What the exam expects you to know |
|---|---|
| Secure baseline | Establish, deploy, then maintain an approved CIS/STIG configuration |
| Patch management | Remediate known vulnerabilities; test in staging before production |
| Least privilege | Remove standing local admin; use just-in-time elevation |
| Host firewall / HIPS | Restrict inbound/outbound traffic and block known attack patterns at the device |
| EDR / XDR | Behavioral detection, isolation, and response on the host |
| Full disk encryption (FDE) | BitLocker/FileVault protect data at rest if a device is stolen |
| Application allow-listing | Only approved executables run; default-deny unknown binaries |
| Secure boot + TPM | Verify boot integrity; store keys in hardware |
| Centralized logging | Forward logs to a SIEM for detection and forensics |
Patch Prioritization Logic
The exam rejects the trap answer "patch strictly by CVSS score." A vulnerability with a CVSS 9.8 on an isolated lab box matters far less than a CVSS 7.5 on an internet-facing identity server under active exploitation. Prioritize on four combined factors:
- Active exploitation (listed in CISA's Known Exploited Vulnerabilities catalog) ranks highest.
- Exposure: internet-facing beats internal-only.
- Asset criticality: domain controllers, payment, or clinical systems outrank a test VM.
- Compensating controls: a WAF or segmentation may buy time when patching must wait.
Worked Scenario
A company stands up a new internal file server. A hardened build removes unused server roles, applies current patches, joins the SIEM, opens host-firewall rules only for SMB from internal subnets, enforces least-privilege share permissions, installs EDR, enables FDE and protected backups, and applies a CIS baseline with a documented owner. Six weeks later a config scan flags that Remote Desktop was enabled manually by a technician. That is configuration drift; the management tool reverts it to baseline and logs the change.
Common Exam Traps
| Trap answer | Why it is wrong |
|---|---|
| "Disable logging to improve performance." | Logs are mandatory evidence for detection and investigations. |
| "Grant users local admin to cut help-desk tickets." | Least privilege limits malware and misconfiguration blast radius. |
| "Patch only the highest CVSS scores." | Exposure, exploitation, and asset criticality also drive priority. |
| "A baseline matters only at install time." | Baselines continuously detect and correct drift. |
| "Antivirus and EDR are the same." | EDR adds behavioral detection, isolation, and response, not just signatures. |
Hardening the Operating System and Below
The SY0-701 objectives explicitly call out hardening targets beyond the application layer, and the exam likes to test the less obvious ones.
- Trusted Platform Module (TPM) is a hardware chip that stores cryptographic keys and supports BitLocker key sealing and platform attestation. A Hardware Security Module (HSM) is the higher-assurance, often network-attached equivalent for servers and certificate authorities.
- Secure boot and measured boot verify each boot component's signature so that bootkits and rootkits cannot load before the OS.
- Disabling unused ports and protocols is hardening too: turn off Telnet, legacy SMBv1, and unused USB ports.
- Service accounts should be non-interactive, scoped to a single function, and rotated, never reused across systems.
How EDR, XDR, and HIPS Differ
Candidates lose points by treating these as interchangeable. EDR focuses on a single endpoint's process, file, registry, and network telemetry and can isolate that host. XDR (extended detection and response) correlates signals across endpoints, email, identity, and cloud for broader detection. A host-based intrusion prevention system (HIPS) blocks traffic and known attack patterns at the device, while a host-based firewall simply allows or denies by rule. On the exam, "investigate suspicious PowerShell that spawned a hidden process" points to EDR; "block inbound RDP from the internet on this laptop" points to a host firewall.
Decommissioning and Sanitization
Hardening includes the end of life. When a server is retired, sanitize its storage: cryptographic erase for self-encrypting drives, multi-pass overwrite for magnetic media, or physical destruction (shredding/degaussing) for the highest sensitivity. Update the asset inventory and certificate inventory so revoked or removed systems do not leave stale trust relationships behind.
Group Policy, Configuration Management, and Drift
At scale, hardening is enforced through configuration management rather than manual edits. In Windows environments, Group Policy Objects (GPOs) push baseline settings to domain-joined hosts; in mixed or cloud fleets, tools such as a configuration management platform apply the same desired state and report compliance. The exam's takeaway is that the baseline is enforced continuously: a config-management agent reapplies the approved state on a schedule, so a setting a user changes manually reverts automatically.
This closes the gap between the documented baseline and the live system, which is exactly the configuration drift the objectives warn about.
A critical internet-facing server has a remotely exploitable vulnerability listed in CISA's Known Exploited Vulnerabilities catalog. What should happen first?
Which controls reduce endpoint attack surface? Choose two.
Select all that apply
Which technology adds behavioral detection, host isolation, and response capability beyond traditional signature-based antivirus?