Unit 7: Defensive Security Basics

Lesson at a glance

| Item | Detail | | --------------------- | --------------------------------------------------------------- | | Suggested length | 4 × 60 minutes | | Recommended placement | Weeks 11–12 of Cybersecurity I | | Prerequisite | Units 1–6; working VM lab | | Materials | Kali, Windows target VM, Ubuntu target VM, hardening checklists |

Safety: Hardening labs run inside the host-only lab range. Snapshot before. Snapshot after.

Standards & credential alignment

• EHE Domain 5: Network and Host Security Controls.
• VA CTE: Demonstrate system hardening and account-security practices.
• CIS Controls v8: maps to Controls 4 (Secure Configuration), 5 (Account Management), 6 (Access Control), 7 (Continuous Vulnerability Management).

Learning objectives

By the end of this unit, students can:

1. Audit local user accounts on Windows and Linux.
2. Configure a Windows Defender Firewall rule and a Linux ufw/firewalld rule.
3. Apply a CIS-style hardening checklist to a Linux server (10 baseline items).
4. Apply patches and explain why patch latency matters.
5. Configure MFA on a personal account (in class or for homework).
6. Identify three types of endpoint protection (AV, EDR, application allow-listing).

Vocabulary

• Hardening - Removing default services, weak settings, unused accounts.
• Patch / patch management - Applying vendor-provided fixes; doing so on a schedule.
• Host firewall - Firewall rules enforced on the endpoint itself (vs. network firewall).
• EDR - Endpoint Detection and Response. Behavior-based defense + telemetry.
• MFA - Multi-factor authentication. Two of: something you know, have, are.
• Local admin - Account that can do anything on a single machine. Should be rare and audited.
• Service account - Non-human account used by a program. Top target for attackers.

Teacher background

Hardening is the discipline of removing things. Students who feel productive when they install something must learn to feel productive when they uninstall, disable, or restrict.

The single biggest win in this unit: the realization that patches don't apply themselves on legacy systems. The Equifax breach happened because of an Apache Struts vulnerability that had a public patch for two months before exploitation. Patch latency is policy, and policy is a defender's job.

Materials checklist

• [ ] Windows target VM (clean, snapshotted)
• [ ] Ubuntu Server target VM (clean, snapshotted)
• [ ] Hardening checklist handout (10 baseline items, provided in worksheet PDF)
• [ ] Wall poster: the "Defender's Day 1 Checklist"

Pacing - Day 1 (60 min): Account security

| Time | Segment | Notes | | ----------- | ----------------------------------------- | ------------------------------------------------------------------ | | 0:00 – 0:20 | Mini-lesson - accounts to watch | Local admin, default accounts, dormant accounts, service accounts. | | 0:20 – 0:55 | Lab - audit accounts on Windows and Linux | Walk-through commands. | | 0:55 – 1:00 | Exit ticket | "Name three accounts you'd disable on Day 1." |

Day 1 - Account audit commands

# Linux
cat /etc/passwd | awk -F: '$3 >= 1000 {print $1}'   # human users
cat /etc/passwd | awk -F: '$3 < 1000 {print $1, $7}' # service users + their shells
sudo lastlog | awk 'NR==1 || $2 != "**Never"'        # who has logged in
getent group sudo                                     # who has sudo

# Windows (PowerShell, run as admin)
Get-LocalUser | Format-Table Name, Enabled, LastLogon, PasswordLastSet
Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember -Group "Remote Desktop Users"

Discussion prompt: "Pick a user in this output you don't recognize. What's your next step?"

Pacing - Day 2 (60 min): Host firewalls

| Time | Segment | Notes | | ----------- | ---------------------------------------------------------- | --------------------------------------------------------- | | 0:00 – 0:20 | Mini-lesson - what a host firewall does | Allow/deny by source, dest, port, direction, application. | | 0:20 – 0:55 | Lab - configure ufw on Linux, Defender Firewall on Windows | Block all by default; allow what's needed. | | 0:55 – 1:00 | Exit ticket | "Why is default-deny better than default-allow?" |

Day 2 - Lab commands

# Ubuntu - UFW (Uncomplicated Firewall)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp                   # allow SSH from anywhere
sudo ufw allow from 192.168.56.0/24 to any port 80   # allow HTTP only from lab
sudo ufw enable
sudo ufw status verbose

# Windows - block inbound RDP except from a specific lab IP
New-NetFirewallRule -DisplayName "Block-RDP-default" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Block

New-NetFirewallRule -DisplayName "Allow-RDP-from-lab-admin" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 `
  -RemoteAddress 192.168.56.10 -Action Allow

Safety: Students will lock themselves out. That's the lesson. Snapshot first, restore if needed. Document the recovery in the worksheet.

Pacing - Day 3 (60 min): Patching, hardening, and configuration

| Time | Segment | Notes | | ----------- | ------------------------------------------------- | -------------------- | | 0:00 – 0:15 | Mini-lesson - patch latency and the Equifax story | 5 minutes is plenty. | | 0:15 – 0:50 | Lab - apply the 10-item hardening checklist | Below. | | 0:50 – 1:00 | Discussion - what changed? what broke? | Real talk. |

Day 3 - The 10-item Linux hardening checklist

1. sudo apt update && sudo apt upgrade -y - patch.
2. sudo apt autoremove --purge -y - remove unused packages.
3. Disable root SSH: edit /etc/ssh/sshd_config, set PermitRootLogin no.
4. Disable password SSH (key-only): set PasswordAuthentication no.
5. sudo systemctl restart sshd.
6. Audit running services: systemctl list-units --type=service --state=running. Disable anything you don't need.
7. Enable UFW (Day 2).
8. Set automatic security updates: sudo apt install unattended-upgrades.
9. Audit cron and systemd timer jobs: crontab -l && sudo ls /etc/cron.d/ && systemctl list-timers.
10. Snapshot.

Day 3 - The Windows version (abbreviated)

• Windows Update - patch now.
• Get-Service | Where-Object Status -eq Running - review and disable defaults you don't need.
• Defender real-time protection on; tamper protection on.
• Local admin password rotated; LAPS or equivalent in production.
• BitLocker on (where applicable).
• gpupdate /force; export the security baseline for review.

Pacing - Day 4 (60 min): MFA and endpoint protection

| Time | Segment | Notes | | ----------- | --------------------------------------------- | ------------------------------------------------- | | 0:00 – 0:25 | Mini-lesson - MFA strength ranked | Passkey > authenticator app > push > SMS > email. | | 0:25 – 0:45 | Activity - set up MFA on one personal account | With consent. School Google or Microsoft works. | | 0:45 – 0:55 | Mini-lesson - AV vs. EDR vs. allow-listing | Three flavors of endpoint protection. | | 0:55 – 1:00 | Exit ticket | "Rank the four MFA factors." |

Day 4 - MFA strength reference

| Factor | Why it ranks where it does | | ---------------------------- | ---------------------------------------------------------------------- | | Passkey / FIDO2 | Phishing-resistant; bound to the device + origin; can't be intercepted | | Authenticator app (TOTP) | Phishable but solid; offline; no SIM swap risk | | Push notification | Convenient; vulnerable to fatigue / approval-bombing | | SMS | SIM swap risk; better than nothing | | Email-only OTP | Only as strong as the email account. Often the weakest link. |

Common misconceptions

• "Antivirus is enough." - AV is necessary and insufficient. Layer it.
• "MFA is annoying and pointless." - MFA blocks ~99% of automated credential attacks against an account. The annoyance is the security.
• "If it's patched, it's safe." - Patching closes known holes. Defense in depth, again.

Differentiation

• For students struggling with the command line: pre-printed checklists with screenshots; pair with a stronger student.
• Stretch: have advanced students automate the Day 3 checklist into a Bash or PowerShell script.

Assessment

• Day 1 deliverable: account audit screenshot (annotated).
• Day 2 deliverable: sudo ufw status verbose output showing the configured rules.
• Day 3 deliverable: hardening checklist completed; snapshot named unit-7-hardened.
• Day 4 deliverable: screenshot of an MFA-enabled login (with personal info redacted).

Career connection

System administrators, sysadmins, and SOC engineers spend much of their week on what you did this unit. Salaries: sysadmin $60K–$90K, security engineer $80K–$120K, EDR/endpoint specialist $90K–$140K.

Homework / next class

If you don't already have MFA on your primary email and your bank, set it up this week. Submit a screenshot of the post-setup confirmation page next class.