4.4 Lab: Hardening Triage Desk

🎯 Lab Scenario

You are a hardening analyst on the pre-deployment review team. Three devices have arrived in your queue, each with a configuration snapshot taken before it ships to production. For every device you will: (1) identify the TWO most serious hardening gaps, (2) name the pillar each falls under, and (3) recommend the fix for each gap.

Commit your answer BEFORE clicking Reveal. That is the point of the lab.

Case 1: The Rushed Retail POS

Device #POS-4411 — Retail Checkout Terminal

Location: Phoenix store #142, deploying next Monday

Pre-deployment configuration snapshot:

OS:              Windows 10 IoT Enterprise LTSC 2019
Last patch:      March 2024 (14 months old)
Installed apps:  POS app v8.2, Chrome 134, Spotify Desktop,
                 Steam, "FreePDFConverter" v2.1,
                 remote-support helper "TeamViewer Portable"
Admin account:   Administrator / password set to "Store142!"
                 (matches the store's printed-receipt footer)
Firewall:        Windows Defender Firewall: OFF
                 (documented reason: "conflicts with POS app")
EDR / AV:        None installed
Logs:            Local only, no SIEM forwarding configured
USB policy:      All USB ports active; mass storage allowed
Your Analysis (Case 1) Commit your three answers before clicking Reveal.

1. Two most serious hardening gaps:

2. Which pillar does each fall under:

3. Fix for each gap:

Case 2: The Long-Lived Linux Jump Box

Device #LX-JUMP-02 — Administrator Jump Server

Purpose: Secure bastion host administrators SSH through to reach internal production systems

Compliance scan output (CIS Ubuntu 22.04 Level 2 benchmark):

Passed checks:    92 of 240
Failed checks:    148 of 240

Critical failures (partial list):
  [CIS 1.5.1]   Core dumps are restricted            FAIL
  [CIS 2.2.2]   Avahi daemon is not installed        FAIL (installed)
  [CIS 2.2.5]   LDAP server not installed            FAIL (running, unused)
  [CIS 3.5.1.2] firewalld is enabled and running     FAIL (masked)
  [CIS 4.1.3]   auditd is installed                  FAIL (not installed)
  [CIS 4.2.1.1] rsyslog is installed                 FAIL (uninstalled 2023)
  [CIS 5.2.10]  SSH PermitRootLogin set to "no"      FAIL (set to "yes")
  [CIS 5.3.4]   Password reuse is limited            FAIL
  [CIS 6.1.2]   Permissions on /etc/passwd are OK    PASS

History:  Server was hardened to CIS L2 at deployment in 2021.
          Drift has accumulated over 4 years of ad-hoc changes.
Your Analysis (Case 2) Commit your three answers before clicking Reveal.

1. Two most serious hardening gaps (from the fail list):

2. What SINGLE practice would have prevented 4 years of drift:

3. Short-term and long-term fixes:

Case 3: The BYOD Teacher Request

Ticket #MDM-718 — District BYOD Policy Design

Reporter: K-12 school district IT director

Situation: The district is building a BYOD policy so teachers can grade and take attendance from personal iPads at home. Requirements:

• Teachers MUST be able to access the district’s gradebook app and district email.
• The district MUST be able to remotely wipe district data if the iPad is lost or the teacher leaves.
• Teachers’ personal photos, iMessages, personal Apple ID, and home apps must NOT be visible to or wipeable by IT.
• Legal counsel will NOT approve a policy that lets IT see every app on a teacher’s personal device.
• Budget does not allow issuing a second device to every teacher.

A junior IT member proposes full MDM enrollment for all BYOD iPads. The director asks you to review that proposal and recommend an alternative if needed.

Your Analysis (Case 3) Commit your three answers before clicking Reveal.

1. Why is full MDM the wrong choice here:

2. What deployment model should the district use and why:

3. Three specific hardening controls the chosen model DOES enforce:

📚 How This Prepares You for the AP Exam

Each case reinforces a different exam pattern: Case 1 tests pillar-spotting across an unfamiliar device configuration. Case 2 tests baseline drift reasoning and the role of configuration management. Case 3 tests the MDM vs MAM decision under realistic privacy constraints. Writing full-sentence answers before revealing builds the FRQ-style habit AP Cyber rewards.

AP Cybersecurity · Unit 4 · Lesson 4.4 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]