Secure configuration is the second of the five technical controls in the Cyber Essentials scheme. It addresses a fundamental truth in cyber security: devices and software are rarely secure out of the box. Manufacturers prioritise ease of use and broad compatibility over security, which means every device deployed with its default settings presents a potential vulnerability.
During a Cyber Essentials Plus assessment, the assessor will examine a representative sample of your devices to verify that they are securely configured. This guide covers exactly what secure configuration means in the CE+ context, what the assessor looks for, and how to ensure your organisation meets the standard.
For UK organisations seeking Cyber Essentials Plus certification, secure configuration represents one of the most frequently failed controls during initial assessment. The reason is straightforward: most businesses have grown organically, adding devices and software over time without a consistent security baseline. Legacy systems, inherited configurations, and devices set up by previous staff all contribute to an environment that is far from secure by default. Understanding exactly what the assessor expects — and systematically addressing every requirement — is the key to passing first time.
What Secure Configuration Means
In the context of Cyber Essentials, secure configuration means ensuring that every device and piece of software in your environment is configured to minimise its attack surface. This involves removing or disabling anything that is not needed, changing insecure defaults, and enabling built-in security features.
The principle is straightforward: the less software you run, the fewer accounts you have active, and the fewer services you expose, the fewer opportunities an attacker has to exploit your systems.
It is worth noting that secure configuration applies to every device within the scope of your CE+ assessment. This includes not only workstations and laptops but also servers, mobile devices, network equipment such as routers and switches, cloud services, and any internet-connected devices. Many organisations focus their hardening efforts on endpoints but overlook network printers, IP cameras, and other peripheral devices that are equally vulnerable to exploitation. The assessor will consider your entire estate, so your configuration baseline must be comprehensive.
The Core Requirements
1. Remove or Disable Unnecessary Software
Every device in scope should only run the software it genuinely needs to fulfil its business function. Unnecessary software increases your attack surface — each additional application is a potential entry point for malware or exploitation.
This means removing:
Pre-installed bloatware: Many devices ship with trial software, manufacturer utilities, and promotional applications that serve no business purpose. These should be uninstalled.
Unused applications: Software that was installed for a specific purpose but is no longer needed should be removed, not just left unused.
Outdated software: Old versions of applications (particularly Java, Flash Player, and other browser plugins) are frequent targets for attackers and should be removed if they are no longer needed.
Unnecessary services: Windows and other operating systems run numerous background services by default. Services that are not required (such as Remote Desktop if not used, or print sharing on devices that do not share printers) should be disabled.
In practice, conducting a thorough software audit across your entire device estate can be a substantial undertaking, particularly for organisations with more than a handful of machines. Using an endpoint management tool such as Microsoft Intune, SCCM, or a third-party solution can help you inventory all installed software centrally, identify applications that fall outside your approved list, and remove them in bulk. Without central visibility, it is very easy for unapproved or outdated software to persist on individual machines undetected — and the assessor will check for exactly this.
Create a software whitelist for each device role in your organisation. For example, a finance workstation might require Microsoft 365, your accounting software, and a PDF reader — nothing else. Use this whitelist as your configuration baseline and audit against it quarterly. This makes CE+ assessments significantly easier because you have a documented justification for every installed application.
2. Change All Default Passwords
Default passwords are one of the most commonly exploited vulnerabilities. They are publicly documented, widely known, and trivially easy for attackers to discover. The Cyber Essentials standard requires that all default and predictable passwords are changed before devices are deployed.
This applies to:
| Device/System | Common Defaults | Risk Level |
|---|---|---|
| Network routers | admin / admin, admin / password | Critical |
| Wireless access points | admin / (blank), admin / 1234 | Critical |
| Network printers | admin / (blank), admin / admin | High |
| CCTV/IP cameras | admin / 12345, admin / (blank) | High |
| Web applications | admin / admin, sa / (blank) | Critical |
Beyond the devices listed above, default credentials are also a significant concern for network-attached storage (NAS) devices, managed switches, VoIP phone systems, and building management systems. In the UK, we frequently encounter organisations where a network printer or CCTV system has been running with factory credentials for years simply because no one thought to change them at installation. Every such device is a potential entry point into your network, and the CE+ assessor may check any internet-connected device within your scope.
When replacing default passwords, ensure the new passwords meet the Cyber Essentials password policy: a minimum of 12 characters using a combination of upper and lower case letters, numbers, and special characters. Alternatively, the scheme accepts passphrases of three or more random words. Where a device supports multi-factor authentication, it should be enabled as an additional layer of protection beyond the password itself.
3. Disable or Remove Unnecessary User Accounts
Default user accounts and guest accounts that come pre-configured on devices and operating systems must be disabled or removed. These accounts are well-known to attackers and provide easy access if left active.
Specifically:
Guest accounts: The Windows guest account (and equivalents on other operating systems) must be disabled. Guest accounts provide unauthenticated access to the device.
Default administrator accounts: Where possible, the built-in administrator account should be disabled and replaced with a named administrator account. If the built-in admin account cannot be disabled, it must have a strong, unique password.
Former employee accounts: Accounts belonging to people who have left the organisation must be disabled or removed promptly. A robust offboarding process is essential for maintaining this requirement.
Service accounts: Accounts used by applications and services should have the minimum privileges required and should not have interactive login capability unless absolutely necessary.
Account hygiene is one of the most operationally challenging aspects of secure configuration, particularly for organisations with high staff turnover. The NCSC recommends conducting quarterly access reviews to identify and remove stale accounts. In Active Directory environments, you can use PowerShell scripts to report on accounts that have not been used in 90 days or more, making it straightforward to identify candidates for removal. For cloud environments such as Microsoft 365 and Google Workspace, similar audit tools are available in the admin console. The assessor will specifically look for accounts that appear to belong to individuals who are no longer with the organisation, so maintaining a clean directory is essential.
Managed Configuration Approach
Ad-Hoc Configuration Approach
4. Enable Screen Lock / Auto-Lock
All devices must be configured to lock automatically after a period of inactivity. For Cyber Essentials Plus, the requirement is that devices lock within 15 minutes of the last user interaction.
This prevents unauthorised access to unattended devices. The implementation varies by device type:
Windows desktops and laptops: Configure screen timeout via Group Policy or local settings. Set the screensaver to activate within 15 minutes and require a password on resume.
macOS devices: Set the screen lock timeout in System Settings and require a password immediately after sleep or screen saver begins.
Mobile devices (iOS/Android): Set the auto-lock timeout. For mobile devices, a shorter timeout (1–5 minutes) is recommended due to the higher risk of loss or theft.
It is worth noting that the 15-minute maximum is a ceiling, not a target. For many environments, particularly those where devices are used in shared spaces, reception areas, or customer-facing roles, a significantly shorter timeout of 2 to 5 minutes is strongly advisable. The assessor will verify the configured timeout on each sampled device, and any device exceeding 15 minutes will be flagged as non-compliant. In environments managed with Microsoft Intune or a similar MDM platform, this setting can be enforced centrally and users will be unable to override it.
For organisations with a mix of corporate and personal mobile devices, consider implementing a Mobile Device Management (MDM) solution such as Microsoft Intune or Jamf. MDM allows you to enforce screen lock timeouts, require device encryption, and remotely wipe lost devices — all requirements that contribute to your CE+ secure configuration posture. Even for BYOD policies, MDM can apply security settings to the work profile without affecting personal data.
5. Remove or Disable Unnecessary Features and Services
Operating systems and applications often include features that are enabled by default but not required for business operations. These features can introduce vulnerabilities and should be disabled:
Autorun/AutoPlay: The automatic execution of programs from removable media (USB drives, CDs) should be disabled. Autorun has been a major malware vector for years.
Remote Desktop: If Remote Desktop Protocol (RDP) is not needed, it should be disabled. If it is needed, it should be restricted to specific users and ideally protected by a VPN or Network Level Authentication.
Bluetooth and NFC: If not required for business purposes, these wireless technologies should be disabled, particularly on devices used outside the office.
File and printer sharing: If a device does not need to share files or printers, these services should be disabled.
In addition to the services listed above, organisations should also consider disabling Windows PowerShell remoting on workstations where it is not required, disabling the Windows Script Host if scripts are not used for legitimate business purposes, and restricting the use of removable media via Group Policy. Each of these measures reduces the number of tools available to an attacker who gains initial access to a device, making lateral movement and privilege escalation significantly harder. The cumulative effect of disabling unnecessary features across your estate is a substantially reduced attack surface that is much harder to exploit.
How Secure Configuration Is Tested in CE+
During the Cyber Essentials Plus assessment, the assessor examines a representative sample of your devices. The sample typically includes a mix of:
Windows workstations/laptops (the most common device type in most organisations)
macOS devices (if present in your environment)
Mobile devices (iOS and/or Android, if in scope)
Servers (if in scope)
For each sampled device, the assessor will check:
Assessor Checklist for Secure Configuration
The assessment is not just a checklist exercise. Assessors are experienced security professionals who will investigate the overall hygiene of each device. They may open the Control Panel to review installed programs, check the Services console, examine local user accounts, verify firewall settings, and confirm that the device is receiving automatic updates. If they identify patterns of poor configuration across multiple sampled devices, it may indicate a systemic issue that requires remediation before certification can be granted.
Secure Configuration Readiness Scorecard
Based on our experience preparing hundreds of UK organisations for Cyber Essentials Plus, here is a typical readiness scorecard showing how most businesses perform across each secure configuration sub-control before remediation. Use this as a benchmark to identify where your organisation may need the most attention.
Secure Configuration for Cloud Services
If your organisation uses cloud services like Microsoft 365, Google Workspace, AWS, or Azure, the secure configuration requirements apply to these environments as well. Key considerations include:
Microsoft 365: Disable legacy authentication protocols, configure conditional access policies, ensure audit logging is enabled, and disable unused services within the tenant.
Google Workspace: Enforce 2-Step Verification, disable less secure app access, configure sharing settings appropriately, and remove unnecessary third-party app integrations.
Cloud infrastructure: Ensure default security groups are locked down, disable unused services and regions, enforce strong access policies, and enable audit logging.
Cloud misconfiguration has rapidly become one of the leading causes of data breaches in the UK. The National Cyber Security Centre has highlighted that improperly secured cloud tenants are a growing risk, particularly for small and medium-sized businesses that may lack dedicated cloud security expertise. For Microsoft 365 specifically, common misconfigurations include leaving legacy SMTP and POP authentication enabled, not enforcing multi-factor authentication for all users, allowing external sharing of SharePoint and OneDrive content without restrictions, and failing to configure data loss prevention policies. Each of these represents a potential pathway for attackers and will be examined during a CE+ assessment if cloud services are within scope.
Most Common Configuration Failures by Category
Drawing from our CE+ assessment preparation work with UK businesses across multiple sectors, the following chart shows the relative frequency of secure configuration failures. These findings highlight where organisations typically need the most remediation effort before they can achieve certification.
Common Secure Configuration Failures
These are the most common findings we encounter when preparing organisations for CE+ assessment:
Bloatware on new devices: Devices procured from retailers often come loaded with manufacturer software, trial applications, and promotional tools. These need to be removed before the device is deployed.
Forgotten devices: Network printers, IP cameras, and older network equipment are frequently overlooked during security hardening. The assessor may check these devices as well.
Screen lock set too long: Many users set their screen lock timeout to 30 minutes, an hour, or even “never” for convenience. The standard requires 15 minutes maximum.
Active Directory hygiene: Stale accounts, excessive group memberships, and default accounts that have never been reviewed are common findings in Active Directory environments.
Cloud service defaults: Many cloud services are deployed with default settings that are not secure. Legacy authentication in Microsoft 365, for example, is a common finding.
We also frequently see failures related to browser configuration. Many organisations allow their staff to install browser extensions without restriction, which can introduce significant security risks including data exfiltration and credential theft. The CE+ assessor may check installed browser extensions on sampled devices and flag any that appear unnecessary or potentially malicious. Implementing a browser extension policy — either through Group Policy for Chrome and Edge or through MDM profiles for managed devices — is a straightforward way to address this risk and demonstrate good configuration hygiene.
Configuration drift is one of the biggest ongoing risks after achieving CE+ certification. Devices change over time as software is installed, settings are modified, and new services are enabled. Schedule quarterly configuration audits to compare your current device estate against your documented baseline. Tools such as Microsoft Intune compliance policies can automate this process and alert you when devices fall out of compliance, ensuring you remain ready for annual recertification.
Building a Secure Configuration Baseline
The most effective approach to secure configuration is to create a standard build or configuration baseline for each device type in your organisation. This baseline defines exactly how each device should be configured when it is first deployed, including:
Operating system settings: Screen lock, firewall, automatic updates, disabled services.
Installed software: Only the applications needed for the device's role.
User account configuration: Standard user account (not admin), password policy applied.
Security software: Anti-malware installed and configured.
Using tools like Microsoft Intune, Group Policy, or configuration management systems, you can deploy and enforce these baselines consistently across your entire device estate.
For organisations just starting this process, we recommend documenting your baseline in a simple spreadsheet or configuration document that lists each device type, the operating system version, the approved software list, the security settings applied, and the date of last review. This documentation serves two purposes: it provides a reference for your IT team when deploying new devices, and it demonstrates to the CE+ assessor that you have a deliberate, systematic approach to configuration management. Over time, you can migrate from manual documentation to automated enforcement using endpoint management tools, but even a well-maintained spreadsheet is a significant improvement over having no baseline at all.
How Cloudswitched Helps
Secure configuration is one of the areas where our managed CE+ service delivers the most value. We audit your entire device estate against the standard, create secure configuration baselines for each device type, implement the required changes, and verify compliance through pre-assessment testing.
For organisations using Microsoft 365 or Azure AD, we also audit and harden your cloud configurations to ensure they meet the CE+ requirements.
Our approach is thorough and systematic. We begin with a comprehensive discovery phase, identifying every device and service within your CE+ scope. We then assess each item against the secure configuration requirements, document all findings, and work with your team to implement the necessary changes. Before your formal assessment, we conduct a full pre-assessment review — effectively a mock CE+ audit — to ensure that every device in your estate meets the standard. This preparation process means that when the assessor arrives, there are no surprises and your organisation is confident of passing first time.
Ready to Get Certified?
Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end — including secure configuration auditing and hardening across all your devices and cloud services.
View CE+ ServicesSecure configuration is about reducing your attack surface to the absolute minimum. Every unnecessary application removed, every default password changed, and every unused account disabled makes your organisation harder to compromise. It is one of the most straightforward controls to implement, yet one of the most impactful in reducing your overall risk.
Strengthen Your Security Posture with Expert Configuration Hardening
Cloudswitched helps UK organisations achieve Cyber Essentials Plus certification by auditing, hardening, and documenting secure configuration baselines across your entire device estate and cloud environment.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
