ds-2 High priority Device Security / Device Security

Devices are configured securely with hardened baselines

Default device configurations are designed for ease of setup, not security. Default credentials, unnecessary services, open ports, and permissive settings create attack surface that is trivially exploitable. Hardening devices to a defined security baseline removes this unnecessary exposure. The goal is not perfection but removing the low-hanging fruit that attackers rely on.

4h estimated effort

hardening configuration baseline mdm cis-benchmarks

Complete first: ds-1

Implementation steps

1

Define security baselines for endpoint devices

Document a security baseline for company laptops and workstations: disk encryption required, screensaver lock enabled (5 minutes or less), firewall enabled, automatic updates enabled, no local admin for standard users, SSH disabled unless required. Enforce baseline compliance through your MDM solution.

jamf microsoft-intune kandji
2

Define and enforce server and cloud resource baselines

For servers and cloud resources: disable root SSH login, require key-based authentication, remove unused services and packages, enable host-based firewall, enforce IMDSv2 on EC2, block public S3 buckets by default. Enforce these via infrastructure-as-code and detect drift using cloud configuration tools.

aws-config terraform checkov tfsec wiz
3

Audit devices for baseline compliance regularly

Run compliance checks against your defined baselines at least monthly. Review which devices are out of compliance and remediate. MDM tools report compliance status per device. For cloud infrastructure, use AWS Config rules or equivalent to detect and alert on configuration drift.

jamf microsoft-intune aws-config drata