System Hardening Techniques (Part 3) (Domain 2)
In this episode, we’re wrapping up our three-part series on system hardening techniques by covering three often-overlooked but critical practices: disabling unnecessary ports and protocols, replacing default credentials, and removing unneeded software. These steps are simple, effective, and surprisingly powerful in preventing successful attacks. Together, they form a core part of what’s often called “security hygiene”—the baseline practices that every secure system should follow.
Let’s begin with disabling ports and protocols. Every open port on a system is a potential entry point. If a service is listening for traffic, and that service is not needed—or worse, is misconfigured or vulnerable—it becomes an easy target for attackers. The same goes for legacy or unnecessary network protocols. If they’re enabled but unused, they just expand the attack surface.
Minimizing unnecessary network exposure means reviewing which ports and services are enabled on each device and disabling the ones that serve no legitimate purpose. For example, if a workstation doesn’t need to share files, then file-sharing ports should be turned off. If a server doesn’t need to support Telnet, FTP, or older remote management tools, those services should be disabled or uninstalled.
To manage open ports and protocols effectively, administrators can use scanning tools like Nmap or built-in firewall utilities to audit what’s active. Then, they can adjust configuration settings to disable unnecessary services and restrict communication to only the ports that are needed. Regular reviews should be part of system deployment and change management, ensuring that new services don’t get added without proper approval and justification.
In a real-world example, a critical server was left with an unused remote access port open to the internet. Attackers found it using an automated scan, brute-forced their way in, and used the access to deploy ransomware. The breach could have been prevented with a simple firewall rule or by disabling the unused protocol.
Now let’s talk about default password changes. Many systems—especially routers, printers, IoT devices, and embedded software—ship with default usernames and passwords like “admin” and “password.” These credentials are publicly known and widely documented by attackers. Leaving default credentials in place is like locking your door and leaving the key hanging outside.
When systems are deployed, default credentials must be changed immediately. This applies to operating systems, network devices, cloud platforms, applications, and administrative interfaces. Every default account should be evaluated, and if it’s not needed, it should be disabled or removed entirely. If it must remain, the password should be unique, complex, and stored securely.
There are countless incidents where default credentials have led to major compromises. In one case, a botnet known as Mirai infected hundreds of thousands of IoT devices simply by scanning the internet for systems still using default logins. These infected devices were then used in a massive distributed denial-of-service attack that took down several major websites and services.
To prevent these risks, organizations should include password audits as part of every deployment and periodic review. Automated tools can scan for known default credentials across networks, and configuration management systems can flag any instances where default accounts have not been changed.
Finally, let’s look at the removal of unnecessary software. Every program installed on a system represents another potential attack vector. If that software is not needed for business or system functionality, it should be removed. Unused software may not be patched regularly, may contain vulnerabilities, or may introduce unexpected behavior that creates openings for attackers.
Reducing the attack surface through software minimization involves reviewing what is installed, identifying what is actually used, and removing anything that’s not required. This includes legacy programs, trial software, bundled applications, and tools installed for one-time tasks. Removing these programs not only makes systems more secure, it also improves performance and manageability.
In a real-world example, an employee installed a free PDF editor to help with a personal project. The software came bundled with adware, which later downloaded a more serious backdoor. The system became part of a botnet, and internal credentials were exfiltrated. If the organization had enforced strict application controls or removed unapproved software during routine checks, the incident would have been avoided.
Application allow lists, software restriction policies, and endpoint protection platforms can all help enforce minimal software installations. Combined with user training and regular audits, these tools help organizations maintain a clean and secure environment.
As you prepare for the Security Plus exam, remember that system hardening isn’t just about installing the latest tools—it’s about doing the basics well. Disabling unneeded ports and protocols, changing default credentials, and removing unnecessary software are low-cost, high-impact actions that stop many attacks before they begin. You may be asked to evaluate a system configuration, recognize common oversights, or recommend hardening steps based on a scenario. Always look for ways to reduce exposure, enforce policy, and eliminate unnecessary risk.
