← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.5

System hardening — SY0-701

CompTIA Security+ SY0-701: master system hardening — the two core NIST actions, attack surface reduction, and the exam trap that trips most candidates.

WHAT IT IS

Hardening is "a process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services." (NIST Glossary, sourced from NIST SP 800-152.)

The goal is to shrink the attack surface — "the set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment." (NIST Glossary, sourced from NIST SP 800-53 Rev. 5.) Fewer exposed points means fewer opportunities for exploitation of a vulnerability, which is "a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." (NIST Glossary, sourced from NIST SP 800-53 Rev. 5.)

Mental model

Think of a newly built server as a house with every window open, every door unlocked, and the basement accessible from the street. Hardening is the act of closing every window you do not need open, dead-bolting every door that should stay shut, and sealing the basement entrance. Two levers, same goal: patch what is broken, disable what is unnecessary.

When to use it

Candidates confuse system hardening with configuration management because both deal with system settings. The distinction matters for exam questions that describe a scenario and ask what control was applied.

DimensionSystem HardeningConfiguration Management
Primary goalReduce attack surface by eliminating attack pathsEstablish and preserve integrity of IT products and systems through controlled change processes
Core actionsPatching vulnerabilities; disabling nonessential servicesInitializing, changing, and monitoring configurations across the system development life cycle
TimingPerformed before and during deployment to remove attack pathsOngoing throughout the system development life cycle
NIST definition sourceNIST SP 800-152 (via NIST Glossary)NIST SP 800-128 and others (via NIST Glossary)

Hardening is an outcome. Configuration management is the process discipline that can be used to reach and maintain that outcome over time. A hardened system still requires configuration management to stay hardened as the environment changes.

COMMON MISCONCEPTION

The exam trap is treating hardening and patching as synonyms. Patching vulnerabilities is only one of the two core actions the NIST definition specifies. Turning off nonessential services — reducing what is reachable on the attack surface — is equally part of hardening. A fully patched system that still runs unnecessary services is not fully hardened.

A second trap: assuming hardening is a one-time event. Because vulnerabilities are defined as weaknesses that "could be exploited or triggered by a threat source," and new weaknesses are continuously discovered, hardening is a recurring activity, not a checkbox that stays checked forever.

How it shows up on the exam

The cognitive target is application — given a scenario, identify whether the described action constitutes hardening, and whether it is complete. Signal phrases to watch for:

  • "turned off / disabled / stopped" a service or feature — this is the nonessential-services lever of hardening.
  • "applied patches / updated software" — this is the vulnerability-patching lever of hardening.
  • Questions may describe only one lever and ask what else should be done, testing whether you know both levers exist.
  • Candidates who conflate hardening with configuration management may select a configuration-management control when the scenario calls for reducing the attack surface, or vice versa. Focus on the stated goal: if the scenario is about eliminating attack paths, hardening is the concept.

Related concepts

  • Network Segmentation — divides a network into isolated zones, complementing hardening by limiting lateral movement even when a hardened system is compromised.
  • Access Control Lists — restrict what subjects can reach what resources; work alongside hardening to limit the attack surface at the network and resource level.
  • Least Privilege — the principle that users and processes receive only the access required for their function; applying it removes unnecessary permissions, paralleling how hardening removes unnecessary services.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.