SkarpSkarp

Chapter 11 of 25

Applying Security Principles to Enterprise Infrastructure

Drill into how core security principles are applied to servers, endpoints, network devices, and virtualization platforms that make up enterprise infrastructure.

27 min readen

Orienting: Security Principles Meet Real Infrastructure

From Theory to Infrastructure

You now zoom in from big-picture architecture to how security principles actually apply to servers, endpoints, network devices, and virtualization platforms in an enterprise.

Core Principles

You will repeatedly use least privilege, defense in depth, secure defaults, and zero trust to evaluate and improve infrastructure configurations.

Where We Apply Them

We focus on servers/endpoints, network devices and firewalls, and virtualization and container platforms, always tying back to Security+ (SY0-701) objectives.

Security Principles in Practice: Least Privilege, Defense in Depth, Secure Defaults, Zero Trust

Least Privilege on Infra

Least privilege on infrastructure means separate admin accounts, minimal service account rights, and tightly scoped network access such as DBs only reachable from app servers.

Defense in Depth Layers

Defense in depth layers multiple independent controls: firewalls, WAFs, EDR, email filters, and secure coding so one failure does not expose everything.

Secure Defaults & Zero Trust

Secure defaults use hardened images and disabled services; zero trust adds segmentation, continuous device checks, and just-in-time privileges for users and admins.

Hardening and Baselining: A Cross‑Infrastructure View

Hardening vs Baseline

Hardening reduces attack surface by securely configuring systems. A baseline is the approved secure starting template used to configure and later audit systems.

Common Hardening Steps

Across infrastructure: patch regularly, remove unused services, enforce strong auth and MFA, configure host firewalls, and enable centralized logging.

Exam Mindset

On SY0-701, the best answer usually standardizes secure settings, reduces exposure, and improves monitoring, rather than simply adding random extra tools.

Server and Endpoint Hardening: Conceptual Baseline

OS Hardening

Servers and endpoints need patched OSes, strong account policies, and centrally managed baselines via Group Policy or MDM to enforce encryption and firewalls.

Apps, Services, and Protection

Install only required server roles, remove bloatware, use EDR and host firewalls, and consider application allowlisting to block unauthorized executables.

Protecting Data on Hosts

Use full-disk encryption, DLP or rights management for sensitive data, and reliable, tested backups to complete the host-level defense in depth picture.

Network Devices and Firewalls: Principles and Control Types

Control Types and Firewalls

Firewalls are mainly technical, preventive controls whose logs support detective controls. Remember all 10 control types for SY0-701.

Hardening Network Devices

Change defaults, use SSH/HTTPS/SNMPv3, restrict management to admin subnets, patch firmware, and disable unused services or routing features.

Firewall Best Practices

Use default deny, least-privilege rules, and segmentation with VLANs and DMZs. Never open all ports between networks just for convenience.

Virtualization and Container Security Basics (SY0‑701 Focus)

Hypervisor Security

Type 1 hypervisors run on hardware; Type 2 on an OS. Secure them with hardened configs, isolated management networks, and secure, patched VM templates.

Container Risks

Containers share the host kernel, so use trusted, minimal images, avoid running as root, enforce network policies, and manage secrets securely.

Isolation Is Not Magic

VMs and containers are not secure by default. Misconfigurations can allow lateral movement and escalation, so apply least privilege and defense in depth.

Mapping Controls to Infrastructure Layers

Four Infrastructure Layers

Use four layers: network, host/endpoint, application & data, and management & monitoring to organize where security controls live.

Control Mapping

Firewalls and IDS/IPS at the network layer, EDR and encryption at the host layer, WAF and DB controls at the app/data layer, SIEM and IAM at the management layer.

Using the Model

In scenarios, ask which layer is weak and pick controls that strengthen that specific layer, reinforcing defense in depth and zero trust.

Thought Exercise: Walk Through an Infrastructure Scenario

Walk through this scenario and reason step by step.

Scenario

A small company has:

  • One VLAN for everything (users, servers, printers, IoT cameras).
  • A single firewall at the internet edge.
  • Windows servers and user endpoints joined to a domain.
  • A virtualization host that runs: a web server, a database server, and a file server as VMs.
  • Basic anti-malware on endpoints, but no centralized logging.

Your tasks

  1. Identify at least three weaknesses in terms of least privilege, defense in depth, secure defaults, or zero trust.
  2. For each weakness, name one improvement and map it to an infrastructure layer.

Pause and think before scrolling further.

Sample reasoning (compare to your own)

  1. Weakness: Single flat VLAN means no segmentation; IoT cameras and user PCs can reach servers directly.
  • Improvement: Create separate VLANs for user devices, servers, and IoT; use internal firewall rules to enforce least privilege between VLANs.
  • Layer: Network layer.
  1. Weakness: Only one perimeter firewall; no internal controls if an attacker is inside.
  • Improvement: Enable host-based firewalls on servers and endpoints with default deny inbound, only allowing necessary ports.
  • Layer: Host/endpoint layer.
  1. Weakness: No centralized logging; incidents may go undetected.
  • Improvement: Forward logs from servers, endpoints, and the firewall to a central SIEM or log server; configure alerts on suspicious patterns.
  • Layer: Management and monitoring layer.
  1. Bonus weakness: Multiple critical VMs share the same host with unclear hardening.
  • Improvement: Harden the hypervisor, isolate management traffic, and ensure VMs follow hardened templates and separate roles.
  • Layer: Virtualization/host and management layers.

Compare your answers: could you justify each improvement using least privilege, defense in depth, secure defaults, or zero trust language?

Quick Check: Server and Network Hardening

Test yourself on key ideas before moving on.

An administrator wants to harden a new router that will connect branch offices to headquarters. Which action best aligns with secure defaults and least privilege?

  1. Enable Telnet for management so admins can connect from any device on the network.
  2. Leave default SNMP community strings but restrict SSH management to the admin VLAN.
  3. Disable unused routing protocols, change all default credentials, and restrict management access to a dedicated admin subnet using SSH.
  4. Enable remote web management over HTTP so admins can troubleshoot more easily.
Show Answer

Answer: C) Disable unused routing protocols, change all default credentials, and restrict management access to a dedicated admin subnet using SSH.

Disabling unused routing protocols reduces attack surface, changing default credentials addresses a common weakness, and restricting SSH management to a dedicated admin subnet enforces least privilege and secure defaults. The other options either keep insecure defaults (SNMP strings) or use insecure protocols (Telnet, HTTP) and overly broad access.

Quick Check: Virtualization and Containers

Another short quiz to reinforce virtualization and container security.

A team is deploying a containerized microservice application. Which practice most directly reduces the attack surface of the container images?

  1. Running all containers as root to simplify permissions.
  2. Using minimal base images from a trusted registry and removing unnecessary tools from the images.
  3. Embedding database credentials directly into the container image for faster startup.
  4. Allowing all containers to communicate freely with each other to avoid misconfiguration.
Show Answer

Answer: B) Using minimal base images from a trusted registry and removing unnecessary tools from the images.

Using minimal base images from a trusted registry and stripping unnecessary tools reduces the attack surface and potential vulnerabilities. Running containers as root, hard-coding credentials, or allowing unrestricted communication all increase risk and violate least privilege and secure defaults.

Key Terms and Principles Review

Flip through these cards to reinforce terminology that appears across Security+ domains.

CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
Hardening
The process of reducing a system's attack surface by removing unnecessary components and securely configuring what remains.
Baseline configuration
An approved, standard set of security settings for a system, used as a secure starting point and reference for auditing and drift detection.
Security control types (10)
technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive
CIA triad components
confidentiality, integrity, availability
AAA functions
authentication, authorization, accounting
Host-based firewall
A software firewall running on an individual host, enforcing traffic rules specific to that system.
Web application firewall (WAF)
A firewall that specifically monitors and filters HTTP/HTTPS traffic to and from web applications to protect against attacks such as SQL injection and XSS.

Apply It: Recommend Improvements for a Simple Design

Use what you have learned to make high-level recommendations, just like you will on the exam.

Scenario

You are given this simplified environment:

  • A Type 1 hypervisor running three VMs: a public-facing web server, an internal application server, and a database server.
  • All three VMs are on the same virtual switch and VLAN.
  • The hypervisor management interface is reachable from the same network as the VMs.
  • Endpoints have basic anti-malware but no disk encryption.
  • There is a perimeter firewall, but no internal segmentation.

Your tasks

  1. Name two changes you would make at the network layer.
  2. Name two changes at the host/virtualization layer.
  3. For each change, state which principle it supports (least privilege, defense in depth, secure defaults, zero trust).

Reflect before comparing with this sample answer.

Sample improvements

  1. Network layer
  • Place the public web server in a DMZ VLAN, and the app/DB servers in an internal server VLAN. Use firewall rules to allow only required ports between DMZ and internal servers.
  • Principles: defense in depth, zero trust, least privilege.
  • Restrict hypervisor management to a dedicated management VLAN accessible only from admin workstations.
  • Principles: least privilege, secure defaults.
  1. Host/virtualization layer
  • Harden the hypervisor and VMs using secure templates; disable unnecessary services and enforce strong admin authentication (preferably MFA).
  • Principles: secure defaults, defense in depth.
  • Enable full-disk encryption on endpoints and ensure host-based firewalls are configured with default deny inbound.
  • Principles: defense in depth, least privilege.

If this felt easy, you are ready to push into more complex hybrid environment questions. If it felt shaky, flag this module for extra review; your spaced review queue will surface these concepts again.

Key Terms

SIEM
Security Information and Event Management system that aggregates and analyzes logs from multiple sources for security monitoring.
SY0-701
SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
endpoint
A user device such as a laptop, desktop, or mobile device that connects to the network and must be secured.
container
A lightweight, isolated runtime environment for applications that shares the host OS kernel but has its own filesystem and resources.
hardening
The process of reducing a system's attack surface by removing unnecessary components and securely configuring what remains.
hypervisor
Software that creates and runs virtual machines by abstracting hardware resources.
zero trust
Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
AAA functions
The three core identity-related functions: authentication, authorization, accounting.
CompTIA Security+
CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
CIA triad components
The three core security objectives: confidentiality, integrity, availability.
baseline configuration
An approved, standard set of security settings for a system, used as a secure starting point and reference for auditing and drift detection.
security control types
The 10 control types are: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself