Locking Down the Basics 🔐🚪: Core Device Hardening Techniques That Matter
This article is part of the Security Best Practices series, which focuses on practical steps you can take to protect devices, data, and users. 👉 Security Best Practices
The term device hardening has to be one of the best terms in all of computing. It sounds strong and powerful, almost as if it can make your computer or device invincible. While the idea of complete invincibility is a bit of a stretch, device hardening does help protect your computer by reducing its vulnerabilities.
The very act of networking computers is what makes them vulnerable to attacks. Once devices are connected, they become potential targets. Device hardening is a proactive step that you can take on the local machine to reduce the likelihood of a successful attack.
The concepts behind device hardening are not limited to just one type of system. They can be applied to desktops, laptops, and mobile devices, making device hardening a practical and important part of everyday security.
Updating Devices and Enabling Passwords 🔄🔐
The first step to ensuring a device is as secure as possible is to keep its software up to date. Software applications—especially operating systems—are incredibly complex. Even with skilled programmers and strong security mechanisms in place, operating systems still have vulnerabilities.
The real questions are: How serious are these weaknesses? And have attackers discovered them yet? Some vulnerabilities may not be critical. For example, if a hacker finds an exploit that causes your computer to reboot, it may be annoying but not nearly as serious as data theft. Even so, any vulnerability should be fixed as soon as possible.
Whenever an operating system update or security patch is released, it should be installed promptly. The same advice applies to major software applications. There is no reason to leave unnecessary doors open for a potential attacker.
Most operating systems include built-in update mechanisms:
- Windows uses Windows Update (accessible through system settings)
- Mobile operating systems also require regular updates
- Apple iOS notifies users when an update is available → Settings → General → Software Update
- Android OS updates can be found under → Settings → Software Update
As a general rule, enabling automatic updates and installing patches as soon as they are available is a good security practice. The second immediate step to securing a device is to use system passwords and change any default passwords. This is especially important for smaller, mobile devices, which are easier to lose or steal.
Mobile devices allow you to set a lock screen passcode, which is required to access the device:
- On Android, this is configured under → Settings → Security
- On iOS, the lock screen passcode is set under → Settings → Face ID & Passcode (or Touch ID & Passcode)
Note: Mobile devices can also be configured to automatically erase all data—called a device wipe—after 10 failed passcode attempts. This provides an extra layer of security but can also be risky if the user forgets the passcode or if small children attempt to unlock the device.
For desktop and laptop computers, an additional security measure is to enable a system password in the BIOS. This requires the user to enter a password before the system can boot. The BIOS itself can also be password-protected to prevent unauthorized changes.
Finally, when using a desktop or laptop in an open environment, a simple but effective security practice is to enable a screen saver password and activate it whenever you leave your desk. This helps prevent others from accessing your computer while you are away.
Another quick way to secure a Windows computer is to use the lock feature:
- Press Ctrl + Alt + Delete
- Click Lock
This immediately locks the system until the correct password is entered.
Implementing Physical Security 🔒🏢💻
Physical security is another essential part of device hardening. This topic has already been covered in two earlier articles in this series, which focus on protecting devices from physical access and theft.
We’ll briefly reinforce those ideas here and provide references to those articles later.
The first rule of physical security is to place essential devices in secure or locked locations. Companies lock down server rooms for a reason. If someone can physically access and damage a machine, it doesn’t matter how strong your software security is—physical access can defeat everything.
Of course, laptops and mobile devices are designed to be portable, so locking them away isn’t always possible. For laptops, a simple and effective solution is to use a cable lock whenever possible.
A typical example is the Kensington lock (K-lock), which attaches to a laptop’s security slot and secures it to a desk or fixed object. Some versions use a key, while others use a combination lock.
Another potential trouble spot for laptops is the USB port. An attacker could insert a flash drive loaded with malware, activate it, and cause serious problems. USB ports can also be misused to copy sensitive data from a laptop or from a network the computer is connected to.
Note: A physical attack that has become increasingly popular is the USB drop attack. In this attack, a malicious USB flash drive is intentionally dropped in a public place. The attacker hopes that a curious, unsuspecting person will plug it into their computer to see what’s on it.
When the USB drive is inserted, AutoPlay may automatically launch executable files, which can infect the device with malware.
One way to physically protect USB ports is by using a USB lock. A USB lock is a small device that plugs into the USB port and blocks access to it, preventing anything else from being inserted. USB ports can also be disabled through software-based controls, such as:
- Disabling ports in the BIOS
- Disabling ports using Windows Device Manager
Combining physical controls with software controls provides stronger protection against unauthorized access and accidental infections.
Using Proper Authentication 🪪🔐👤
Authentication is explained in detail in an earlier article in this series. 👉 Authentication
Here, we’ll briefly revisit the key ideas and explain how authentication supports device hardening.
Authentication helps keep computers and resources safe by requiring users to prove their identity before they are granted access. Without authentication, anyone could use a system or access sensitive information.
There are three main types of authentication to remember:
Single-factor authentication (SFA)
This requires a username and one factor of verification, most commonly a password. Examples of authentication factors include:
- Something you know (password, PIN)
- Something you are (fingerprint, face scan)
- Something you have (security token, smart card)
- Somewhere you are (location-based access)
Multi-factor authentication (MFA)
This requires two or more factors to validate a user—for example, a password combined with a biometric scan, or a password plus a one-time code. A typical real-world example is using an ATM, which requires:
- A bank card (something you have)
- A PIN (something you know)
Single Sign-On (SSO)
Single sign-on allows users to access multiple systems or applications with a single login, instead of signing in to each resource separately. This improves usability while still maintaining security. For any computer or network that contains sensitive data, users should always be required to authenticate before access is granted. This is a basic but essential security practice.
In cases such as public kiosks, authentication may not be as critical. However, these systems should still have minimal access, such as:
- Internet access only
- Internet access with printing capability
Restricting access helps reduce risk, even when authentication is not used.
Protecting Against Network Threats 🌐🛡️🚫
Today, it is rare to see someone using a computer that is not connected to a network. Access to network resources and the internet is extremely useful, but it also opens the computer to security risks.
One of the most common security problems you will encounter is malware infection. Malware can enter a system through the internet, email, downloads, or infected devices. To help protect systems from malware and hackers, there are four main classes of security applications:
- Antivirus software: Protects against viruses, worms, and Trojan horses
- Anti-spyware software: Defends against spyware and adware that track user activity or display unwanted ads
- Anti-spam software: Reduces the amount of unwanted or junk email received
- Software firewalls: Block potentially dangerous network traffic from entering or leaving the system
There are also security suites available that combine multiple protection features into a single package. For example, some suites include antivirus, anti-malware, and anti-spam tools, along with identity protection, a software firewall, backup tools, and system tune-up utilities.
It is also important to note that there is some overlap between the types of threats each application protects against. For instance, an antivirus program may also detect and remove certain types of non-virus malware. Using a combination of these tools helps reduce the risk of network-based attacks and strengthens overall device security.
Antivirus Software 🦠🛡️💻
Antivirus software attempts to identify virus infections by scanning files on your hard disk. This scan may include all files or only the subset most likely to contain viruses. Popular antivirus programs include Norton 360 and McAfee Total Protection.
Viruses are often hidden using simple deception techniques. They embed themselves inside legitimate applications and redirect the application’s commands and code around the virus while running as a separate task. One way antivirus programs detect a virus is by opening files and scanning the code, looking for this type of redirection.
Another common detection method is scanning executable files for virus signatures. A virus signature—sometimes called a virus definition—is a unique snippet of code that identifies a specific virus. Antivirus programs maintain a database of known virus definitions. When the software finds a match between a scanned file and a signature in its database, it displays a warning that an infection may be present.
As new viruses and threats are discovered, antivirus vendors regularly update their virus definition files and distribute them to users. Having the most up-to-date definitions is critical for effective protection, which is why antivirus software must be updated frequently.
Some programming languages, such as C++ and Java, generate code that antivirus programs can occasionally mistakenly flag as malicious. These are known as false positives.
A zero-day attack occurs when an attacker exploits an unknown software or firmware vulnerability—meaning the attack happens before developers or security vendors are aware of the weakness. Once the attack is discovered, it becomes a known vulnerability, and software developers and antivirus companies begin working on fixes and detection methods.
In addition, many antivirus programs calculate an MD5 hash for applications. MD5 (Message Digest Version 5) is a mathematical calculation that produces a unique value representing a file’s contents. If the MD5 value of a file changes unexpectedly, it may indicate tampering or a virus infection.
Antivirus software is typically resident, meaning it runs continuously in the background. It monitors the system and scans programs and files as they are opened or closed. Many antivirus programs also scan incoming and outgoing email, as well as web pages you visit.
You can also manually instruct your antivirus software to perform a full system scan at any time. When suspicious activity is detected, the antivirus program usually presents options such as:
- Delete – obliterates the file from the system
- Quarantine – isolates the file so it cannot run, while keeping it stored safely
Quarantining a file can be helpful if you want to share it with an IT professional who is investigating virus infections on the network.
Anti-Spyware Software 🕵️♂️🚫🍪
Anti-spyware software looks for known spyware and adware programs and offers to disable or remove them from your system. Similar to antivirus applications, anti-spyware programs scan files and code for definitions, which are small snippets of code that identify spyware or adware components.
Many anti-spyware tools can also remove lesser security and privacy threats, such as tracking cookies. These cookies are often used to monitor browsing activity and display targeted ads.
In many cases, you may not need a separate anti-spyware application. Most modern antivirus programs include anti-spyware protection as part of their security features.
Some anti-spyware applications run continuously in the background, just like antivirus software, monitoring the system in real time. Others run only when you open the program and manually start a scan.
Microsoft Defender is a free anti-spyware tool that comes built into Windows. There are also other free and commercial anti-spyware programs available, such as Spybot.
As with antivirus software, anti-spyware applications are most effective when their definitions are kept up to date. Regular updates ensure the software can detect newly discovered threats and protect your system effectively.
Anti-Spam Software ✉️🚫📩
Spam refers to unwanted or junk email. People send spam primarily to sell products because it is very economical. Sending millions of emails costs almost nothing, and even if only a small percentage of recipients respond, it can still generate profit.
Spam is also commonly used to commit fraud. Some messages attempt to sell useless or non-existent products, while others try to trick users into visiting phishing websites or malicious sites that download viruses or other malware.
Many email applications include built-in spam filters and tools to manage junk email. For example, Microsoft Outlook includes its own junk email filter. However, these built-in filters often fail to catch all spam because the algorithms used to distinguish spam from legitimate email are not always sophisticated enough.
Some antivirus programs include an anti-spam component as part of their security suite. In addition, standalone anti-spam programs are available, both as paid add-ons and as free tools, to help further reduce unwanted email.
Using anti-spam software helps protect users from scams, phishing attempts, and malware delivered through email.
Diagnosing and Fixing Malware Infections 🧪🦠🛠️
Even if you have an anti-malware application installed, it is not perfect. Occasionally, a virus or other malware can bypass protection—especially if it is a new threat or your malware definitions have not been updated recently. When a system becomes infected with a virus, worm, Trojan horse, or other malicious software, it is important to remove it immediately.
This topic has been covered in more detail in an earlier article in this series. 👉Utility Software
The general steps for handling a malware infection are:
- Identify malware symptoms
- Quarantine the infected system
- Remediate (clean) the infected system
- Schedule scans and updates
- Educate the end user to prevent a repeat occurrence
Below are some common symptoms that may appear immediately or at a specific time or day when the malware activates:
- Your antivirus software may be disabled, and you may be unable to re-enable it. If you are trying to install antivirus software, it may fail. This is a common tactic used by malware to make removal more difficult.
- The system may run very slowly, taking much longer than usual to start Windows or open applications. Many malware infections heavily slow down or cripple a system.
- CPU and memory usage may be unusually high, even when you are not running demanding applications. This can occur if malware is hijacking your system for its own computing tasks.
- A warning message or pop-up may appear on the screen and refuse to go away. For example, it may claim your system is infected and demand that you enter a credit card number to purchase fake “fix” software.
- Your friends or contacts may report receiving strange emails from you that you did not send.
- While browsing the web, you may be bombarded with pop-up advertisements.
If you start experiencing these symptoms, your local antivirus software may not be much help if the malware has already disabled it. If the antivirus program is still running, perform a full system scan immediately.
If you cannot use your local antivirus software, your best option is to use an online virus scanner or checklist. Some security vendors provide free online tools that scan your system and recommend the next steps. Follow the scanner’s guidance carefully.
If the system is infected to the point where it cannot even open a web browser, try booting into Safe Mode with Networking. This may temporarily disable some malware components, allowing cleanup tools to run.
If you are still unable to remove the infection, you may need to consult an IT professional, such as a technician at a local computer repair shop.
After the infection has been removed, you may need to repair or reinstall your antivirus software and download the latest updates to ensure your system is protected going forward.
Software Firewalls 🔥🌐🛡️
Software firewalls were discussed earlier in this series. 👉 Firewall
Here, we’ll briefly review how they help protect devices and networks.
Firewalls protect you in two important ways. First, they help protect your network resources from harmful traffic generated by hackers. Second, they can prevent computers on your network from accessing undesirable or unsafe content on the internet.
Firewalls perform these tasks by monitoring and filtering network traffic. They examine incoming and outgoing data and allow or block it based on predefined security rules.
There are two main types of firewalls:
- Network-based firewalls: These protect an entire network and are usually placed between the network and the Internet.
- Host-based firewalls: These run directly on individual computers. Windows includes its own host-based firewall called Windows Defender Firewall.
If you prefer a different firewall, you can obtain one as a standalone product or as part of a security suite that includes antivirus, anti-malware, and firewall features. If you are unsure what security protections are currently enabled on your Windows system, you can:
- Type Security and Maintenance into the Windows search box
- Press Enter to view your system’s security status
Using a properly configured firewall is essential for protecting devices against network-based threats.
Wrapping Up 🧭
Device hardening is not about making systems impossible to break into—it’s about reducing risk and closing unnecessary doors that attackers often exploit. By keeping devices updated, using strong passwords, applying proper authentication, implementing physical security, and protecting against network threats, you significantly improve your overall security posture.
Each of these steps may seem small on its own, but together they form multiple layers of defense. This layered approach makes it much harder for malware, hackers, or unauthorized users to gain access to your systems.
Most importantly, device hardening is a proactive practice. Taking these steps before a problem occurs is far easier and far less costly than trying to recover from a security incident after the fact. Whether you are securing a desktop, laptop, or mobile device, consistent device hardening is critical to keeping your data—and your systems—safe.
In the next article, we’ll explore improving software security and the steps you can take to reduce risks within applications and operating systems. 👉Strengthening Software Security