Hardening Techniques β Quick Reference
| Technique | Target | Primary Goal | Key Tool / Method | Does NOT Protect Against |
|---|---|---|---|---|
| OS patching | Operating system | Close known vulnerabilities | Windows Update / WSUS / SCCM | Zero-day exploits (no patch available) |
| Password policy + least privilege | User accounts | Limit credential attacks and blast radius | Group Policy / PAM | Phishing that steals valid credentials |
| Network access restriction | Server access | Limit who can reach the system | Host firewall / ACL (IP allowlist) | Attacks from permitted source IPs |
| File-level encryption (EFS) | Specific files/folders | Protect sensitive files from other OS accounts | Windows EFS (NTFS) | Compromise of the account that encrypted the files |
| Full disk encryption (FDE) | Entire storage volume | Prevent data access from physical drive removal | BitLocker / FileVault / LUKS | Data access during an authenticated session |
| Network encryption | Data in transit | Prevent interception on untrusted networks | VPN, TLS/HTTPS | Data at rest; endpoint compromise |
| EDR | Endpoint processes | Detect/respond to malware (known + unknown) | CrowdStrike, Defender, SentinelOne | Preventing phishing delivery |
| Host-based firewall | Network connections per process | Block unauthorized process network access | Windows Defender Firewall / iptables | Malware using an approved process as proxy |
| HIPS | OS-level behaviors | Block buffer overflows, rootkit installation, registry tampering | Integrated into EDR agents | Attacks that don't trigger monitored OS behaviors |
| Port closure | Network attack surface | Remove exploitable listening services | Nmap audit + firewall enforcement | Vulnerabilities in required open ports |
| Default credential changes | Management interfaces | Prevent access via published factory credentials | Manual change on every device/app | Brute force or stolen custom credentials |
| Unnecessary software removal | Installed applications | Permanently eliminate unused attack surface | Uninstall / role removal | Vulnerabilities in remaining required software |
EDR vs. Traditional Antivirus β Capability Comparison
| Capability | Traditional Antivirus | EDR |
|---|---|---|
| Known malware detection | Yes β signature database | Yes β signature database (and faster/broader) |
| Zero-day / novel malware detection | No β no signature exists | Yes β behavioral analysis, ML classification |
| Process monitoring | Limited / none | Yes β monitors all process trees, parent-child chains |
| Root cause analysis | No | Yes β traces full attack chain back to initial access |
| Automated isolation | No β alerts only | Yes β disconnects endpoint from network automatically |
| Configuration rollback | No | Yes β reverts OS to pre-infection state |
| API-driven response | No | Yes β no technician intervention required |
| Central management | Sometimes | Yes β all endpoint telemetry in one console |
| Scalability to 1M+ daily variants | No β cannot keep up | Yes β behavioral/ML does not depend on signature currency |
Host-Based Firewall vs. Network Firewall
| Dimension | Network Firewall | Host-Based Firewall |
|---|---|---|
| Location | Perimeter (between network segments) | On the endpoint OS itself |
| Traffic visibility | Sees packets; cannot inspect TLS payloads without decryption proxy | Sees application-layer data before/after encryption (sits on the OS) |
| Rule granularity | Source IP, destination IP, port, protocol | Source IP, destination IP, port, protocol, AND per-process (which application) |
| Unknown process detection | No β cannot identify which process generated a packet | Yes β new processes attempting network access are flagged |
| Protects against | Traffic from one network segment reaching another | Unauthorized process network activity on the endpoint itself |
| Management | Centralized (firewall admin console) | Centralized (Group Policy, endpoint management platform) |
| Bypassed by | Encrypted lateral movement; legitimate-looking traffic | Malware injecting into approved processes |
HIPS Detection Methods
| Method | What It Evaluates | Detects | Misses |
|---|---|---|---|
| Signature-based | OS behavior / memory patterns vs. known attack signatures | Known exploit shellcode, recognized attack tools, documented attack patterns | New attack variants with no signature; custom-written exploits |
| Heuristic | Behavior vs. rules defining "suspicious patterns" | Unusual privilege escalation attempts; anomalous memory access patterns | Novel attack techniques outside the rule set |
| Behavioral | Deviation from established baseline of normal OS activity | New services at 3AM; script interpreter spawned by Office; executable writes to system directories | Attacks that stay within baseline behavior patterns; slow/stealthy changes that avoid threshold triggers |
HIPS detects: buffer overflows (process writes beyond allocated memory), unauthorized registry modifications (run keys, security policy keys), writes to protected OS directories (C:\Windows\System32\), unauthorized kernel driver installation. All three methods are deployed together in modern endpoint protection β signatures catch the known, heuristics and behavioral analysis extend coverage to the unknown.
Port Management Workflow
STEP 1 Β· INVENTORY
Run Nmap against every system. Document all open TCP/UDP ports. This is the baseline β you cannot close what you do not know is open.
STEP 2 Β· MAP TO SERVICES
For each open port, identify the service listening. Cross-reference against the list of services the system's role actually requires.
STEP 3 Β· DISABLE UNNECESSARY
Stop and disable services that are not required. Uninstall them where possible β a service that does not exist cannot be restarted by malware or misconfiguration.
STEP 4 Β· ENFORCE WITH FIREWALL
Apply host-based firewall rules permitting only required ports from authorized sources. NGFW is ideal β enforces by application identity, not just port number.
STEP 5 Β· MONITOR CONTINUOUSLY
Re-scan periodically. Alert on any new open port. Software updates and new installations silently open ports β ongoing monitoring is the only reliable detection.
Encryption Layer Selection β Which to Use When
| Threat Scenario | Correct Encryption Layer | Why |
|---|---|---|
| Laptop physically stolen; drive removed and connected to another machine | FDE (BitLocker / FileVault / LUKS) | FDE encrypts the entire volume; TPM-bound key unavailable outside the original machine |
| Shared workstation; protect specific files from other user accounts on the same OS | File-level (Windows EFS) | EFS encrypts per-user; other accounts see ciphertext; FDE wouldn't help (all authenticated users see the mounted volume) |
| Sensitive data transmitted over an untrusted network (internet, hotel Wi-Fi) | Network encryption (VPN / TLS / HTTPS) | FDE and EFS protect at-rest data; network encryption protects data in transit |
| Data in a password manager or encrypted messaging app β protect even if FDE fails | Application-level encryption | Deepest layer; independent of OS and file system; survives FDE bypass |
| Decommissioning an SSD; need to ensure stored data is irrecoverable | Cryptographic erase (destroy FDE key) | FDE was deployed; destroying the key makes all ciphertext permanently irrecoverable without sector-level overwrite |
Hardening Checklist β Server Deployment
OS & Account Hardening
- Apply all OS patches before production deployment
- Disable or remove default/guest accounts
- Set password policy: minimum length 8β16, complexity enforced
- Remove all accounts not needed for the server's function
- Ensure no standard user account runs as local admin
- Restrict SSH/RDP access to management VLAN IP range only
Services & Software
- Inventory all open ports with Nmap before and after setup
- Disable all OS roles and features not required for this server's function
- Uninstall all unnecessary software (including OEM tools)
- Change all default credentials on management interfaces
- Enable MFA on all administrative access paths
- Restrict management interface access to management VLAN only
Encryption
- Enable FDE (BitLocker / LUKS) β required for any portable device
- Enable HTTPS (TLS 1.2+) for all management interfaces
- Disable plaintext protocols (Telnet, FTP, HTTP management) β use SSH, SFTP, HTTPS
- Enforce VPN or private network for server management traffic
Endpoint Protection
- Install and configure EDR agent (reporting to central console)
- Enable and configure host-based firewall (default-deny)
- Confirm HIPS functionality is active within EDR platform
- Enroll in SIEM log forwarding (authentication, system, application logs)
- Schedule recurring Nmap scans and alert on port profile changes