4.4 Lab: Hardening Triage Desk
Lab: Hardening Triage Desk
Applied analysis · 3 configuration audit cases · Simulated pre-deployment review · 35–45 min
You are a hardening analyst on the pre-deployment review team. Three devices have arrived in your queue, each with a configuration snapshot taken before it ships to production. For every device you will: (1) identify the TWO most serious hardening gaps, (2) name the pillar each falls under, and (3) recommend the fix for each gap.
Commit your answer BEFORE clicking Reveal. That is the point of the lab.
Case 1: The Rushed Retail POS
Location: Phoenix store #142, deploying next Monday
Pre-deployment configuration snapshot:
OS: Windows 10 IoT Enterprise LTSC 2019
Last patch: March 2024 (14 months old)
Installed apps: POS app v8.2, Chrome 134, Spotify Desktop,
Steam, "FreePDFConverter" v2.1,
remote-support helper "TeamViewer Portable"
Admin account: Administrator / password set to "Store142!"
(matches the store's printed-receipt footer)
Firewall: Windows Defender Firewall: OFF
(documented reason: "conflicts with POS app")
EDR / AV: None installed
Logs: Local only, no SIEM forwarding configured
USB policy: All USB ports active; mass storage allowed
1. Two most serious hardening gaps:
2. Which pillar does each fall under:
3. Fix for each gap:
(1a) Gap: Administrator account uses a predictable password (“Store142!”) that matches the visible store number on receipts. Any attacker with a printed receipt has the password hint.
(1a) Pillar: Account and credential hardening (pillar 4).
(1a) Fix: Rotate to a unique, random 16+ character password stored in the enterprise password vault; disable the shared Administrator account; require MFA for remote administration.
(2a) Gap: Unauthorized personal software (Spotify, Steam, FreePDFConverter) on a production POS terminal, plus TeamViewer Portable with unknown remote access. This is massive attack-surface bloat — and FreePDFConverter fits the classic trojan vector pattern.
(2a) Pillar: Service and feature reduction (pillar 3) — and arguably secure baseline (pillar 1), since these apps should never have been installed on a POS image.
(2a) Fix: Reimage from the hardened POS baseline; apply application allow-listing so only POS app + Chrome can execute; remove all remote-access tools except the one the vendor requires.
Other acceptable gaps to flag: firewall disabled (pillar 6), no EDR (pillar 6), 14-month patch backlog (pillar 2), no SIEM forwarding (pillar 5), USB mass-storage enabled (pillar 6). Full credit for naming any two serious gaps with correct pillar attribution and a fix.
Case 2: The Long-Lived Linux Jump Box
Purpose: Secure bastion host administrators SSH through to reach internal production systems
Compliance scan output (CIS Ubuntu 22.04 Level 2 benchmark):
Passed checks: 92 of 240
Failed checks: 148 of 240
Critical failures (partial list):
[CIS 1.5.1] Core dumps are restricted FAIL
[CIS 2.2.2] Avahi daemon is not installed FAIL (installed)
[CIS 2.2.5] LDAP server not installed FAIL (running, unused)
[CIS 3.5.1.2] firewalld is enabled and running FAIL (masked)
[CIS 4.1.3] auditd is installed FAIL (not installed)
[CIS 4.2.1.1] rsyslog is installed FAIL (uninstalled 2023)
[CIS 5.2.10] SSH PermitRootLogin set to "no" FAIL (set to "yes")
[CIS 5.3.4] Password reuse is limited FAIL
[CIS 6.1.2] Permissions on /etc/passwd are OK PASS
History: Server was hardened to CIS L2 at deployment in 2021.
Drift has accumulated over 4 years of ad-hoc changes.
1. Two most serious hardening gaps (from the fail list):
2. What SINGLE practice would have prevented 4 years of drift:
3. Short-term and long-term fixes:
(1a) Top gap:
PermitRootLogin yes on SSH — this is a jump box; allowing direct root SSH login defeats accountability (no named user) and makes brute-force targets trivial. Pillar: Account hardening (4).(1b) Top gap: rsyslog and auditd missing, firewalld masked. A jump box with NO audit logging or host firewall is blind to lateral movement AND exposes every port, so analysts cannot even reconstruct what happened after a breach. Pillar: Logging/alerting (5) + endpoint protection (6).
Also acceptable: unused LDAP daemon (pillar 3), Avahi mDNS responder exposed (pillar 3), password-reuse restrictions missing (pillar 4).
(2) Preventive practice: Configuration management (Ansible, Puppet, or similar) running on a schedule to continuously re-apply the CIS L2 baseline. Ad-hoc changes get reverted automatically. Combined with quarterly CIS compliance scanning, drift cannot quietly accumulate.
(3) Fixes: Short-term: disable root SSH login, re-enable firewalld, reinstall auditd and rsyslog, remove unused LDAP/Avahi packages, apply the worst-severity CIS failures (CAT I equivalents) this week. Long-term: adopt Ansible/Puppet to enforce CIS L2 baseline continuously, rebuild the jump box from a golden image on a 6-month cadence, enforce CIS scanning as a pass/fail gate in the deployment pipeline.
Scoring rubric: 1 pt for two correctly named gaps, 1 pt for “configuration management” as the anti-drift practice, 1 pt for reasonable short+long fixes. 2+/3 = passing.
Case 3: The BYOD Teacher Request
Reporter: K-12 school district IT director
Situation: The district is building a BYOD policy so teachers can grade and take attendance from personal iPads at home. Requirements:
• Teachers MUST be able to access the district’s gradebook app and district email.
• The district MUST be able to remotely wipe district data if the iPad is lost or the teacher leaves.
• Teachers’ personal photos, iMessages, personal Apple ID, and home apps must NOT be visible to or wipeable by IT.
• Legal counsel will NOT approve a policy that lets IT see every app on a teacher’s personal device.
• Budget does not allow issuing a second device to every teacher.
A junior IT member proposes full MDM enrollment for all BYOD iPads. The director asks you to review that proposal and recommend an alternative if needed.
1. Why is full MDM the wrong choice here:
2. What deployment model should the district use and why:
3. Three specific hardening controls the chosen model DOES enforce:
(1) Why full MDM fails here: Full MDM enrollment gives the district visibility into and control over the ENTIRE device — apps, location, sometimes photos and messages depending on platform. That directly conflicts with three of the district’s requirements: teacher privacy, legal counsel’s app-visibility restriction, and the photos/iMessages boundary. Forcing full MDM on personal devices is also a common cause of BYOD program failure — teachers either opt out or jailbreak the device.
(2) Recommended model: Mobile Application Management (MAM). The district manages only the corporate apps (gradebook, email) inside a managed container. The personal side of the iPad is invisible to IT. A selective wipe removes only the managed apps and their data; personal photos and texts remain untouched.
(3) Hardening controls MAM does enforce on the corporate apps: (a) app-level PIN or biometric before the gradebook or email opens, (b) prevent copy/paste between managed and personal apps (data-leak protection), (c) selective remote wipe of just the managed apps when a teacher leaves or the iPad is lost, (d) require the corporate apps to be up to date, (e) block screenshots of student data within the managed apps, (f) tunnel managed-app traffic through the district VPN.
Scoring rubric: 1 pt for identifying the privacy/visibility conflict, 1 pt for correctly naming MAM as the fit, 1 pt for three specific controls MAM can enforce on corporate apps. 2+/3 = passing.
Each case reinforces a different exam pattern: Case 1 tests pillar-spotting across an unfamiliar device configuration. Case 2 tests baseline drift reasoning and the role of configuration management. Case 3 tests the MDM vs MAM decision under realistic privacy constraints. Writing full-sentence answers before revealing builds the FRQ-style habit AP Cyber rewards.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]