Hardening

Hardening shrinks the attack surface by removing unneeded services, default accounts, open ports, and features, then enforcing secure settings. Use a recognized baseline like CIS Benchmarks or DISA STIGs as the target. It’s most effective baked into golden images and provisioning automation rather than bolted on after deployment, where drift and missed hosts creep in.