Chapter 57 Β· Concepts

Hardening Techniques β€” Key Concepts

Quick-reference tables, comparison grids, and decision frameworks for exam and practice scenarios.

Hardening Techniques β€” Quick Reference

TechniqueTargetPrimary GoalKey Tool / MethodDoes NOT Protect Against
OS patchingOperating systemClose known vulnerabilitiesWindows Update / WSUS / SCCMZero-day exploits (no patch available)
Password policy + least privilegeUser accountsLimit credential attacks and blast radiusGroup Policy / PAMPhishing that steals valid credentials
Network access restrictionServer accessLimit who can reach the systemHost firewall / ACL (IP allowlist)Attacks from permitted source IPs
File-level encryption (EFS)Specific files/foldersProtect sensitive files from other OS accountsWindows EFS (NTFS)Compromise of the account that encrypted the files
Full disk encryption (FDE)Entire storage volumePrevent data access from physical drive removalBitLocker / FileVault / LUKSData access during an authenticated session
Network encryptionData in transitPrevent interception on untrusted networksVPN, TLS/HTTPSData at rest; endpoint compromise
EDREndpoint processesDetect/respond to malware (known + unknown)CrowdStrike, Defender, SentinelOnePreventing phishing delivery
Host-based firewallNetwork connections per processBlock unauthorized process network accessWindows Defender Firewall / iptablesMalware using an approved process as proxy
HIPSOS-level behaviorsBlock buffer overflows, rootkit installation, registry tamperingIntegrated into EDR agentsAttacks that don't trigger monitored OS behaviors
Port closureNetwork attack surfaceRemove exploitable listening servicesNmap audit + firewall enforcementVulnerabilities in required open ports
Default credential changesManagement interfacesPrevent access via published factory credentialsManual change on every device/appBrute force or stolen custom credentials
Unnecessary software removalInstalled applicationsPermanently eliminate unused attack surfaceUninstall / role removalVulnerabilities in remaining required software

EDR vs. Traditional Antivirus β€” Capability Comparison

CapabilityTraditional AntivirusEDR
Known malware detectionYes β€” signature databaseYes β€” signature database (and faster/broader)
Zero-day / novel malware detectionNo β€” no signature existsYes β€” behavioral analysis, ML classification
Process monitoringLimited / noneYes β€” monitors all process trees, parent-child chains
Root cause analysisNoYes β€” traces full attack chain back to initial access
Automated isolationNo β€” alerts onlyYes β€” disconnects endpoint from network automatically
Configuration rollbackNoYes β€” reverts OS to pre-infection state
API-driven responseNoYes β€” no technician intervention required
Central managementSometimesYes β€” all endpoint telemetry in one console
Scalability to 1M+ daily variantsNo β€” cannot keep upYes β€” behavioral/ML does not depend on signature currency

Host-Based Firewall vs. Network Firewall

DimensionNetwork FirewallHost-Based Firewall
LocationPerimeter (between network segments)On the endpoint OS itself
Traffic visibilitySees packets; cannot inspect TLS payloads without decryption proxySees application-layer data before/after encryption (sits on the OS)
Rule granularitySource IP, destination IP, port, protocolSource IP, destination IP, port, protocol, AND per-process (which application)
Unknown process detectionNo β€” cannot identify which process generated a packetYes β€” new processes attempting network access are flagged
Protects againstTraffic from one network segment reaching anotherUnauthorized process network activity on the endpoint itself
ManagementCentralized (firewall admin console)Centralized (Group Policy, endpoint management platform)
Bypassed byEncrypted lateral movement; legitimate-looking trafficMalware injecting into approved processes

HIPS Detection Methods

MethodWhat It EvaluatesDetectsMisses
Signature-basedOS behavior / memory patterns vs. known attack signaturesKnown exploit shellcode, recognized attack tools, documented attack patternsNew attack variants with no signature; custom-written exploits
HeuristicBehavior vs. rules defining "suspicious patterns"Unusual privilege escalation attempts; anomalous memory access patternsNovel attack techniques outside the rule set
BehavioralDeviation from established baseline of normal OS activityNew services at 3AM; script interpreter spawned by Office; executable writes to system directoriesAttacks that stay within baseline behavior patterns; slow/stealthy changes that avoid threshold triggers

HIPS detects: buffer overflows (process writes beyond allocated memory), unauthorized registry modifications (run keys, security policy keys), writes to protected OS directories (C:\Windows\System32\), unauthorized kernel driver installation. All three methods are deployed together in modern endpoint protection β€” signatures catch the known, heuristics and behavioral analysis extend coverage to the unknown.

Port Management Workflow

STEP 1 Β· INVENTORY
Run Nmap against every system. Document all open TCP/UDP ports. This is the baseline β€” you cannot close what you do not know is open.
STEP 2 Β· MAP TO SERVICES
For each open port, identify the service listening. Cross-reference against the list of services the system's role actually requires.
STEP 3 Β· DISABLE UNNECESSARY
Stop and disable services that are not required. Uninstall them where possible β€” a service that does not exist cannot be restarted by malware or misconfiguration.
STEP 4 Β· ENFORCE WITH FIREWALL
Apply host-based firewall rules permitting only required ports from authorized sources. NGFW is ideal β€” enforces by application identity, not just port number.
STEP 5 Β· MONITOR CONTINUOUSLY
Re-scan periodically. Alert on any new open port. Software updates and new installations silently open ports β€” ongoing monitoring is the only reliable detection.

Encryption Layer Selection β€” Which to Use When

Threat ScenarioCorrect Encryption LayerWhy
Laptop physically stolen; drive removed and connected to another machineFDE (BitLocker / FileVault / LUKS)FDE encrypts the entire volume; TPM-bound key unavailable outside the original machine
Shared workstation; protect specific files from other user accounts on the same OSFile-level (Windows EFS)EFS encrypts per-user; other accounts see ciphertext; FDE wouldn't help (all authenticated users see the mounted volume)
Sensitive data transmitted over an untrusted network (internet, hotel Wi-Fi)Network encryption (VPN / TLS / HTTPS)FDE and EFS protect at-rest data; network encryption protects data in transit
Data in a password manager or encrypted messaging app β€” protect even if FDE failsApplication-level encryptionDeepest layer; independent of OS and file system; survives FDE bypass
Decommissioning an SSD; need to ensure stored data is irrecoverableCryptographic erase (destroy FDE key)FDE was deployed; destroying the key makes all ciphertext permanently irrecoverable without sector-level overwrite

Hardening Checklist β€” Server Deployment

OS & Account Hardening
  • Apply all OS patches before production deployment
  • Disable or remove default/guest accounts
  • Set password policy: minimum length 8–16, complexity enforced
  • Remove all accounts not needed for the server's function
  • Ensure no standard user account runs as local admin
  • Restrict SSH/RDP access to management VLAN IP range only
Services & Software
  • Inventory all open ports with Nmap before and after setup
  • Disable all OS roles and features not required for this server's function
  • Uninstall all unnecessary software (including OEM tools)
  • Change all default credentials on management interfaces
  • Enable MFA on all administrative access paths
  • Restrict management interface access to management VLAN only
Encryption
  • Enable FDE (BitLocker / LUKS) β€” required for any portable device
  • Enable HTTPS (TLS 1.2+) for all management interfaces
  • Disable plaintext protocols (Telnet, FTP, HTTP management) β€” use SSH, SFTP, HTTPS
  • Enforce VPN or private network for server management traffic
Endpoint Protection
  • Install and configure EDR agent (reporting to central console)
  • Enable and configure host-based firewall (default-deny)
  • Confirm HIPS functionality is active within EDR platform
  • Enroll in SIEM log forwarding (authentication, system, application logs)
  • Schedule recurring Nmap scans and alert on port profile changes