Secure configuration is the second of the five technical controls in the Cyber Essentials scheme. It addresses a fundamental truth in cyber security: devices and software are rarely secure out of the box. Manufacturers prioritise ease of use and broad compatibility over security, which means every device deployed with its default settings presents a potential vulnerability.
During a Cyber Essentials Plus assessment, the assessor will examine a representative sample of your devices to verify that they are securely configured. This guide covers exactly what secure configuration means in the CE+ context, what the assessor looks for, and how to ensure your organisation meets the standard.
What Secure Configuration Means
In the context of Cyber Essentials, secure configuration means ensuring that every device and piece of software in your environment is configured to minimise its attack surface. This involves removing or disabling anything that is not needed, changing insecure defaults, and enabling built-in security features.
The principle is straightforward: the less software you run, the fewer accounts you have active, and the fewer services you expose, the fewer opportunities an attacker has to exploit your systems.
The Core Requirements
1. Remove or Disable Unnecessary Software
Every device in scope should only run the software it genuinely needs to fulfil its business function. Unnecessary software increases your attack surface — each additional application is a potential entry point for malware or exploitation.
This means removing:
Pre-installed bloatware: Many devices ship with trial software, manufacturer utilities, and promotional applications that serve no business purpose. These should be uninstalled.
Unused applications: Software that was installed for a specific purpose but is no longer needed should be removed, not just left unused.
Outdated software: Old versions of applications (particularly Java, Flash Player, and other browser plugins) are frequent targets for attackers and should be removed if they are no longer needed.
Unnecessary services: Windows and other operating systems run numerous background services by default. Services that are not required (such as Remote Desktop if not used, or print sharing on devices that do not share printers) should be disabled.
2. Change All Default Passwords
Default passwords are one of the most commonly exploited vulnerabilities. They are publicly documented, widely known, and trivially easy for attackers to discover. The Cyber Essentials standard requires that all default and predictable passwords are changed before devices are deployed.
This applies to:
| Device/System | Common Defaults | Risk Level |
|---|---|---|
| Network routers | admin / admin, admin / password | Critical |
| Wireless access points | admin / (blank), admin / 1234 | Critical |
| Network printers | admin / (blank), admin / admin | High |
| CCTV/IP cameras | admin / 12345, admin / (blank) | High |
| Web applications | admin / admin, sa / (blank) | Critical |
3. Disable or Remove Unnecessary User Accounts
Default user accounts and guest accounts that come pre-configured on devices and operating systems must be disabled or removed. These accounts are well-known to attackers and provide easy access if left active.
Specifically:
Guest accounts: The Windows guest account (and equivalents on other operating systems) must be disabled. Guest accounts provide unauthenticated access to the device.
Default administrator accounts: Where possible, the built-in administrator account should be disabled and replaced with a named administrator account. If the built-in admin account cannot be disabled, it must have a strong, unique password.
Former employee accounts: Accounts belonging to people who have left the organisation must be disabled or removed promptly. A robust offboarding process is essential for maintaining this requirement.
Service accounts: Accounts used by applications and services should have the minimum privileges required and should not have interactive login capability unless absolutely necessary.
4. Enable Screen Lock / Auto-Lock
All devices must be configured to lock automatically after a period of inactivity. For Cyber Essentials Plus, the requirement is that devices lock within 15 minutes of the last user interaction.
This prevents unauthorised access to unattended devices. The implementation varies by device type:
Windows desktops and laptops: Configure screen timeout via Group Policy or local settings. Set the screensaver to activate within 15 minutes and require a password on resume.
macOS devices: Set the screen lock timeout in System Settings and require a password immediately after sleep or screen saver begins.
Mobile devices (iOS/Android): Set the auto-lock timeout. For mobile devices, a shorter timeout (1–5 minutes) is recommended due to the higher risk of loss or theft.
5. Remove or Disable Unnecessary Features and Services
Operating systems and applications often include features that are enabled by default but not required for business operations. These features can introduce vulnerabilities and should be disabled:
Autorun/AutoPlay: The automatic execution of programs from removable media (USB drives, CDs) should be disabled. Autorun has been a major malware vector for years.
Remote Desktop: If Remote Desktop Protocol (RDP) is not needed, it should be disabled. If it is needed, it should be restricted to specific users and ideally protected by a VPN or Network Level Authentication.
Bluetooth and NFC: If not required for business purposes, these wireless technologies should be disabled, particularly on devices used outside the office.
File and printer sharing: If a device does not need to share files or printers, these services should be disabled.
How Secure Configuration Is Tested in CE+
During the Cyber Essentials Plus assessment, the assessor examines a representative sample of your devices. The sample typically includes a mix of:
Windows workstations/laptops (the most common device type in most organisations)
macOS devices (if present in your environment)
Mobile devices (iOS and/or Android, if in scope)
Servers (if in scope)
For each sampled device, the assessor will check:
Assessor Checklist for Secure Configuration
Secure Configuration for Cloud Services
If your organisation uses cloud services like Microsoft 365, Google Workspace, AWS, or Azure, the secure configuration requirements apply to these environments as well. Key considerations include:
Microsoft 365: Disable legacy authentication protocols, configure conditional access policies, ensure audit logging is enabled, and disable unused services within the tenant.
Google Workspace: Enforce 2-Step Verification, disable less secure app access, configure sharing settings appropriately, and remove unnecessary third-party app integrations.
Cloud infrastructure: Ensure default security groups are locked down, disable unused services and regions, enforce strong access policies, and enable audit logging.
Common Secure Configuration Failures
These are the most common findings we encounter when preparing organisations for CE+ assessment:
Bloatware on new devices: Devices procured from retailers often come loaded with manufacturer software, trial applications, and promotional tools. These need to be removed before the device is deployed.
Forgotten devices: Network printers, IP cameras, and older network equipment are frequently overlooked during security hardening. The assessor may check these devices as well.
Screen lock set too long: Many users set their screen lock timeout to 30 minutes, an hour, or even “never” for convenience. The standard requires 15 minutes maximum.
Active Directory hygiene: Stale accounts, excessive group memberships, and default accounts that have never been reviewed are common findings in Active Directory environments.
Cloud service defaults: Many cloud services are deployed with default settings that are not secure. Legacy authentication in Microsoft 365, for example, is a common finding.
Building a Secure Configuration Baseline
The most effective approach to secure configuration is to create a standard build or configuration baseline for each device type in your organisation. This baseline defines exactly how each device should be configured when it is first deployed, including:
Operating system settings: Screen lock, firewall, automatic updates, disabled services.
Installed software: Only the applications needed for the device's role.
User account configuration: Standard user account (not admin), password policy applied.
Security software: Anti-malware installed and configured.
Using tools like Microsoft Intune, Group Policy, or configuration management systems, you can deploy and enforce these baselines consistently across your entire device estate.
How Cloudswitched Helps
Secure configuration is one of the areas where our managed CE+ service delivers the most value. We audit your entire device estate against the standard, create secure configuration baselines for each device type, implement the required changes, and verify compliance through pre-assessment testing.
For organisations using Microsoft 365 or Azure AD, we also audit and harden your cloud configurations to ensure they meet the CE+ requirements.
Ready to Get Certified?
Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end — including secure configuration auditing and hardening across all your devices and cloud services.
View CE+ ServicesSecure configuration is about reducing your attack surface to the absolute minimum. Every unnecessary application removed, every default password changed, and every unused account disabled makes your organisation harder to compromise. It is one of the most straightforward controls to implement, yet one of the most impactful in reducing your overall risk.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.