Apply Secure Baselines and Hardening for Security+ (SY0-701)
Understand secure baselines, host and mobile hardening, wireless protection, application security, sandboxing, and operational monitoring for Security+.
Hardening questions on Security+ are about secure defaults and consistency. The exam wants you to recognize that a strong environment is not secured by one heroic tool. It is secured by baseline configuration, controlled change, narrow exposure, secure application settings, and monitoring that shows when systems drift away from the approved state.
What the exam is really testing
CompTIA is usually checking whether you can separate:
- baseline state from monitoring of that state
- hardening from patching only
- device-specific controls from general policy language
The strongest answer often sounds boring because it is disciplined: remove unnecessary surface, lock down defaults, and make the secure state repeatable.
What this objective group covers
CompTIA combines several operational layers here:
- secure baselines and secure configuration
- mobile-device protections
- hardening of hosts and services
- wireless security
- application security settings
- sandboxing and isolation
- monitoring for drift and misuse
Hardening chooser
| Situation | Strongest first focus | Why |
|---|---|---|
| New workstation or server build | secure baseline plus least privilege | Secure defaults are easiest to enforce at the start |
| Mobile fleet with company data | MDM, encryption, screen lock, and remote wipe | Mobile loss and policy drift are major risks |
| Wireless environment with business access | WPA3 or enterprise auth plus rogue-device awareness | Weak wireless defaults create broad attack surface |
| Browser-facing app | secure headers, secret handling, and narrow service permissions | Hardening exists at the app layer too |
| Risky code or attachment execution | sandboxing or isolation | Reduces host impact if execution is malicious |
Simple hardening priorities
| Area | Strong first moves |
|---|---|
| Server or workstation | disable unused services, patch, least privilege, logging |
| Mobile device | screen lock, encryption, MDM, remote wipe, approved apps only |
| Wireless | WPA3 or enterprise auth, disable insecure defaults, detect rogue APs |
| Application platform | secure headers, input validation, secret management, least privilege |
Secure header example
1Strict-Transport-Security: max-age=31536000; includeSubDomains
2Content-Security-Policy: default-src 'self'
3X-Content-Type-Options: nosniff
What to notice:
- hardening can happen at the application and protocol layer, not only on endpoints
- these settings reduce common browser and transport risks
- Security+ may describe the goal rather than showing the headers directly
Baseline drift matters
A baseline only helps if the organization can tell when systems move away from it. That is why Security+ keeps pairing hardening with monitoring. If a team builds a strong image once and never checks whether services, ports, or local privileges changed later, the hardening program is incomplete.
Small endpoint-hardening example
1systemctl disable telnet.socket
2ufw default deny incoming
3ufw allow 443/tcp
What to notice:
- an unnecessary legacy service is disabled
- the inbound default is restrictive rather than open
- only the required public service is left reachable
Security+ does not require exact command memorization here. It does expect you to recognize the pattern: remove what is not needed, then expose only what the business actually needs.
Common traps
- confusing monitoring with hardening itself
- leaving default settings in place because the system is internal only
- treating mobile security like an optional special case
- ignoring wireless configuration because the question sounds endpoint-focused
- assuming patching alone creates a secure baseline
Harder scenario question
A company rolls out a new internal application to employee laptops. The security team learns that the laptops still have unnecessary remote-management services enabled, local admin is common, and browser protections are inconsistent. Which answer is strongest first?
A. Add a login banner and leave the technical state unchanged
B. Define and enforce a secure baseline that removes unnecessary services, narrows privilege, standardizes security settings, and monitors for drift
C. Disable all logging to reduce performance impact
D. Move the app to a cold site
Best answer: B. The scenario is about secure defaults and operational consistency across endpoints, not a single isolated configuration tweak.
Quiz
Continue with 4.2 Asset Management to connect hardened systems to inventory, ownership, and lifecycle control.