Secure Configuration: Reducing Your Attack Surface
Secure configuration is about ensuring computers and network devices are set up to minimise vulnerabilities. Default settings are typically designed for ease of use during setup—not for security. Adjusting them can significantly reduce your risk.
Key Takeaways
| Point | Summary |
|---|---|
| Remove defaults | Change all default passwords; disable default and guest accounts |
| Minimal software | Only install software that's actually needed; remove unused applications |
| Disable unnecessary features | Turn off auto-run, unneeded services, and browser plugins |
| Password requirements | Minimum 8 characters (12 for admin accounts), or MFA with shorter passwords |
| Account lockout | Lock accounts after 10 failed login attempts |
Quick Answer: Secure configuration means changing all defaults—passwords, accounts, services. Only keep what's needed, disable auto-run, enforce strong passwords (8+ characters, 12+ for admin), and lock accounts after 10 failed login attempts.
Why secure configuration matters
Attackers look for easy entry points: default passwords, unnecessary services, and misconfigured systems. These are low-hanging fruit that can be exploited with minimal effort. Secure configuration closes these doors.
Before secure configuration:
- Default admin passwords in place
- Unnecessary software installed
- Unused services running
- Guest accounts enabled
- Auto-run enabled
- Many potential entry points
After secure configuration:
- Strong, unique passwords
- Only required software
- Only needed services running
- Unnecessary accounts removed
- Auto-run disabled
- Minimal attack surface
What Cyber Essentials requires
Core requirements
| Requirement | Details |
|---|---|
| Remove/disable unnecessary software | Only keep what you actually need |
| Remove/disable unnecessary accounts | Remove default and guest accounts |
| Change default passwords | Never use factory defaults |
| Disable auto-run | Prevent automatic execution from removable media |
| Configure screen lock | Auto-lock after inactivity |
Additional expectations
| Aspect | Requirement |
|---|---|
| User account authentication | Passwords or stronger methods required |
| Automatic screen lock | Within 15 minutes of inactivity |
| Software installation | Controlled by administrators |
| Admin account usage | Not used for day-to-day tasks |
Implementing secure configuration
Step 1: Software audit
Start by reviewing what software is installed and whether it's actually needed:
Inventory:
- List all installed applications
- Identify business justification for each
- Flag unused software
- Identify unsupported versions
Remove:
- Uninstall unused applications
- Remove trial software
- Delete unnecessary browser plugins
- Remove old versions after upgrades
Document:
- Create an approved software list
- Record business justification
- Note version requirements
- Set a review schedule
Step 2: Disable unnecessary services
Turn off services that aren't required for business operations:
| Operating System | Common Services to Review |
|---|---|
| Windows | Remote Desktop, IIS, Telnet, FTP |
| macOS | Remote Login, Screen Sharing, File Sharing |
| Linux | SSH (if not needed), FTP, Mail services |
| All | Bluetooth, Location Services |
Windows services commonly worth reviewing:
| Service | Consider Disabling If |
|---|---|
| Remote Desktop | Not using remote access |
| Remote Registry | Not needed for management |
| Telnet | Never needed (use SSH instead) |
| FTP | Use SFTP instead |
| IIS | Not hosting websites |
| Bluetooth | Not using Bluetooth devices |
Step 3: Account management
Configure user accounts securely:
Default accounts:
- Disable Guest account
- Rename Administrator account (optional but recommended)
- Change default passwords immediately
- Remove unused default accounts
User accounts:
- Unique account per user
- No shared accounts
- Standard user accounts for daily work
- Admin accounts for admin tasks only
Account features:
- Screen lock enabled
- Password required after sleep
- Account lockout after failed attempts
- Complex password required
Step 4: Password configuration
Set strong password policies:
| Setting | Cyber Essentials Minimum | Recommended |
|---|---|---|
| Minimum length | 8 characters | 12+ characters |
| Complexity | Mix of character types OR passphrase | Passphrase |
| Account lockout | Enable after failed attempts | 5-10 attempts |
| Default passwords | Must be changed | Immediately |
Password options:
Option 1: Complex password
- Minimum 8 characters
- Mix of uppercase, lowercase, numbers, special characters
- Example: Tr0ub4dor&3
Option 2: Passphrase (often easier)
- Three or more random words
- Easier to remember
- Harder to crack
- Example: correct-horse-battery-staple
Step 5: Auto-run and autoplay
Disable automatic execution of media:
| Setting | Platform | Action |
|---|---|---|
| AutoRun | Windows | Disable via Group Policy |
| AutoPlay | Windows | Disable or set to "Take no action" |
| AutoMount | macOS | Consider disabling |
| Automount | Linux | Configure to not auto-execute |
Why disable auto-run?
- USB devices can contain malware
- Auto-run executes code without user action
- It's a common vector for malware spread
- Simple to disable, significant risk reduction
Step 6: Screen lock configuration
Configure automatic screen locking:
| Platform | Path | Setting |
|---|---|---|
| Windows | Settings → Accounts → Sign-in options | Require sign-in after sleep |
| Windows | Screen saver settings | Enable with password on resume |
| macOS | System Preferences → Security & Privacy | Require password immediately |
| Linux | Varies by desktop environment | Configure screen saver with lock |
Cyber Essentials requirement: Screen must lock after no more than 15 minutes of inactivity.
Device-specific configuration
Windows devices
Accounts:
- Disable Guest account
- Create named admin accounts (not 'Administrator')
- Separate standard and admin accounts
- Configure account lockout
Features:
- Enable Windows Firewall (all profiles)
- Disable Remote Desktop if not needed
- Disable Bluetooth if not used
- Turn off location services if not needed
Settings:
- Enable automatic updates
- Configure screen lock timeout (≤15 min)
- Require password after sleep
- Disable AutoRun and AutoPlay
Software:
- Remove unused applications
- Disable unnecessary browser extensions
- Remove trial software
- Uninstall outdated software
macOS devices
Accounts:
- Disable Guest account
- Create standard and admin accounts
- Enable FileVault encryption
- Configure login window options
Features:
- Enable Firewall
- Disable Remote Login if not needed
- Disable Screen Sharing if not needed
- Turn off AirDrop or set to Contacts Only
Settings:
- Enable automatic updates
- Require password immediately after sleep
- Enable automatic screen lock
- Disable automatic login
Software:
- Remove unused applications
- Review Safari extensions
- Clear unused system extensions
- Use App Store for software (recommended)
Mobile devices
iOS:
- Enable passcode (6+ digits)
- Enable Face ID/Touch ID
- Disable Lock Screen notifications for sensitive apps
- Enable automatic updates
- Review app permissions
- Remove unused apps
Android:
- Enable screen lock (PIN/pattern/biometric)
- Enable encryption
- Disable unknown sources (or manage carefully)
- Enable automatic updates
- Review app permissions
- Remove unused apps
- Disable developer options
Common configuration issues
Frequently found problems
| Issue | Risk | Solution |
|---|---|---|
| Default passwords in use | Easy compromise | Change all defaults |
| Guest account enabled | Unauthorised access | Disable |
| No screen lock | Physical access risk | Enable with ≤15 min timeout |
| AutoRun enabled | Malware via USB | Disable |
| Unnecessary services | Increased attack surface | Disable unused services |
| Software bloat | More vulnerabilities | Remove unused software |
| Shared accounts | No accountability | Individual accounts |
| Admin for daily use | Elevated malware impact | Separate accounts |
Regular configuration audits
Consider reviewing configuration periodically:
| Check | Suggested Frequency |
|---|---|
| Password compliance | Quarterly |
| Installed software review | Quarterly |
| Service audit | Bi-annually |
| Account review | Quarterly |
| Screen lock verification | Monthly |
| Auto-run status | Quarterly |
How Bastion can help
Secure configuration across all devices takes attention to detail and consistency. It's not difficult, but it requires methodical execution.
| Challenge | How We Help |
|---|---|
| Configuration assessment | We review current device settings against requirements |
| Policy development | We create secure configuration standards for your environment |
| Implementation | We provide guidance on hardening devices correctly |
| Automation | We help with configuration management tools where appropriate |
| Ongoing monitoring | We can detect configuration drift over time |
Working with a managed service partner means your configuration is reviewed by experienced eyes. We've seen the common pitfalls and know how to avoid them, which translates into getting things right the first time rather than discovering issues during certification.
Need help securing your device configurations? Talk to our team