A default OS installation is a compromise waiting to happen. Vendors optimize for compatibility, not security: unnecessary services are running, default accounts exist, and patches are months behind. The 2017 WannaCry outbreak exploited unpatched SMBv1 on freshly deployed Windows servers that hadn't been hardened. This lesson establishes the battle-tested process to convert a fresh install into a secure baseline in under an hour, then capture that baseline for future enforcement.
Before the first boot, verify the integrity of the installation media using published checksums and digital signatures. For Linux, validate the ISO with gpg and sha256sum. For Windows, ensure you're using official Microsoft media from the Volume Licensing Service Center, and enable Secure Boot in the UEFI before installation. A compromised ISO can embed a rootkit from the start.
The 'OK' output and valid signature confirm the ISO hasn't been tampered with. Never skip this step in a production build pipeline.
Choose minimal OS installation options—Server Core on Windows, no GUI on Linux servers. Fewer components mean smaller attack surface. Partition with security in mind: separate /home, /var, /tmp on Linux, and use mount options like noexec,nosuid,nodev on writable partitions to prevent execution and device file abuse. For Windows, enable BitLocker during installation and use separate volumes for OS, data, and logs.
# Example /etc/fstab entries with hardening mount options
# Partition Mount Options
tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0
/dev/sdb1 /var/log ext4 defaults,noexec,nosuid 0 2💡 The noexec flag on /tmp prevents attackers from executing downloaded scripts or binaries in a common staging area. Combine with nosuid and nodev for maximum protection.
Immediately after first login, update all packages, change default passwords, disable root login over SSH, set a BIOS/UEFI admin password, and enable the host-based firewall with deny-all inbound policy. On Windows, run the Security Configuration Wizard (SCW) or apply the Microsoft Security Compliance Toolkit baseline. On Linux, set a root password and lock the account (usermod -L root) after creating a sudo user.
With root locked and SSH root login disabled, even if a password is guessed, root access is denied. Combined with key-only authentication, this drastically reduces brute-force risk.
| Platform | Immediate Action | Verification Command |
|---|---|---|
| Windows | Enable Windows Defender Firewall | Get-NetFirewallProfile | Select Name,Enabled |
| Linux | Set iptables default DROP policy | sudo iptables -L -n |
| macOS | Enable FileVault encryption | sudo fdesetup status |
Once hardened, capture a snapshot or template (sysprep for Windows, packer/qcow2 for Linux) that becomes your organization's gold image. Document every setting, GPO, and service change. Use configuration management (Ansible, DSC) to codify the baseline so it can be reapplied and audited. This transforms hardening from a one-off chore into a repeatable engineering process.
⚠️ Never deploy a default-install OS directly into production, even temporarily. Attackers scan constantly and can compromise an unhardened box in minutes.
Verify exercises to earn ★ 130 XP and unlock next lab level.