System Configuration and Secure Defaults: Building Infrastructure That Defends Itself

In 2023, a major healthcare provider was breached through a server running a default SNMP community string of "public." The vulnerability wasn't sophisticated. It wasn't novel. It was simply a default that no one changed. If your infrastructure relies on hope that someone remembered to harden each system, you've already lost. Let's fix that.

The Problem With Defaults

Operating systems, network appliances, and applications ship with configurations optimized for compatibility, not security. Default credentials, open ports, enabled debug services, and permissive access controls create an enormous attack surface before a single user ever logs in.

The CIS Benchmarks catalog hundreds of these insecure defaults across platforms. The reality is stark: a freshly installed system is almost never production-ready from a security perspective.

Start With a Hardened Baseline

Every system deployed in your environment should begin from a secure, organization-approved image or configuration template. This eliminates configuration drift before it starts.

For Linux systems, start by disabling unnecessary services immediately after installation:

# List all enabled services
systemctl list-unit-files --state=enabled

# Disable services you don't need
systemctl disable --now cups.service
systemctl disable --now avahi-daemon.service
systemctl disable --now rpcbind.service
systemctl disable --now bluetooth.service

For Windows Server, remove unnecessary features and enforce security baselines using Group Policy or DSC:

# Remove unnecessary Windows features
Remove-WindowsFeature -Name Telnet-Client
Remove-WindowsFeature -Name TFTP-Client

# Apply Microsoft Security Baseline via LGPO
.\LGPO.exe /g ..\SecurityBaseline\GPOs

These aren't theoretical exercises. Every listening service is an attack surface. Every unnecessary feature is code that can contain vulnerabilities.

Enforce Least Privilege at the OS Level

Secure defaults extend beyond services. File permissions, kernel parameters, and authentication policies all need attention.

Harden the Linux kernel at runtime:

# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
kernel.exec-shield = 1

Apply with sysctl --system. These settings disable ICMP redirects, enable ASLR, prevent core dumps from SUID binaries, and log impossible addresses—all things that should be default but aren't.

Lock down SSH properly:

# /etc/ssh/sshd_config hardening
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2

Automate Compliance, Don't Audit It Manually

Hardening one server is straightforward. Maintaining secure defaults across hundreds or thousands of systems requires automation.

Use tools like Ansible, Chef, or Puppet to enforce configuration state continuously. Here's a simplified Ansible task:

- name: Ensure unnecessary services are disabled
  ansible.builtin.systemd:
    name: '{{ item }}'
    enabled: no
    state: stopped
  loop:
    - cups
    - avahi-daemon
    - rpcbind
    - telnet.socket

Pair this with OpenSCAP or CIS-CAT for continuous compliance scanning. The combination of enforcement and validation creates a closed loop that catches drift before attackers do.

Don't Forget Network Defaults

Switches and firewalls ship with insecure defaults too. Always change default SNMP strings, disable unused ports, and enforce management ACLs:

! Cisco IOS example
no snmp-server community public
snmp-server community R4nd0mStr!ng RO MGMT_ACL
interface range Gi0/1 - 24
 switchport mode access
 switchport access vlan 999
 shutdown

Unused ports should be shut down and assigned to a black-hole VLAN. This is a fundamental control that prevents unauthorized physical access from gaining network connectivity.

The Takeaway

Secure defaults aren't glamorous. They won't make conference talks. But they eliminate the low-hanging fruit that adversaries exploit daily. Build hardened baselines, automate enforcement, validate continuously, and treat every default configuration as a vulnerability until proven otherwise.

Your infrastructure should defend itself before your SOC ever has to.

Have questions about system configuration and secure defaults? I'm always happy to talk shop — reach out or connect with me on LinkedIn.