Endpoint Hardening: Why Soft Defaults Are Getting Businesses Hacked

Every device your staff uses to connect to business systems — every laptop, desktop, server, phone, and tablet — ships from the manufacturer configured for convenience, not security. Features are enabled to make setup fast. Ports are open. Scripts can run freely. Users often get administrator rights by default. Legacy authentication protocols sit quietly in the background. And most of these settings stay exactly as they arrived — because nobody changed them.

This is what security professionals call a soft default configuration. And in 2026, soft defaults are one of the single largest contributors to successful cyberattacks on Australian businesses. A Ponemon Institute study found that 68% of organisations had at least one endpoint attack breach in a year — and the majority of those breaches exploited configuration weaknesses that hardening would have prevented or contained.

Endpoint hardening is the discipline of systematically changing those soft defaults — tightening configurations, disabling unnecessary services, removing excess privileges, enforcing encryption, and deploying protective controls — so that every device presents the smallest possible attack surface. It is one of the highest-ROI security investments available to Australian businesses, because it prevents attacks before they start rather than detecting them after the damage is done.

This guide covers what endpoint hardening is, why it matters specifically for Australian businesses in 2026, each major hardening domain explained in depth, how hardening relates to the ASD Essential Eight and cyber insurance requirements, and a real case study from an Adelaide professional services firm. We have also prepared a free Endpoint Hardening Checklist as a downloadable Google Doc covering every control area — see the checklist reference section for details. For hands-on implementation, explore our managed cybersecurity services or our IT management consultancy.

What Is Endpoint Hardening?

Endpoint hardening is the process of securing computing devices — workstations, laptops, servers, mobile devices — by reducing their attack surface: the sum total of all the ways an attacker could potentially compromise, exploit, or gain unauthorised access to the device.

Attack surface on an unhardened device includes open network ports, enabled services that are not needed, default or blank credentials, excessive user privileges, enabled script execution, absence of encryption, missing security patches, and dozens of other configuration weaknesses that are present by default on most operating systems and applications. Every one of these is a potential entry point or escalation path for an attacker.

Hardening systematically closes each of these exposure points. The goal is not to achieve perfect security — that doesn’t exist — but to make each device as difficult as possible to compromise and as limited as possible in what it can do if it is compromised. A hardened endpoint forces attackers to work significantly harder, makes their techniques more likely to be detected, and limits how much damage they can do if they succeed.

Endpoint Hardening vs Endpoint Detection and Response (EDR)

These two capabilities are often confused, but they serve fundamentally different roles and both are required

The practical rule: hardening without EDR leaves you blind; EDR without hardening drowns you in preventable alerts. See our guide on EDR vs antivirus for a detailed comparison of endpoint security layers.

Why Endpoint Hardening Is More Critical Than Ever in 2026

Three converging forces make endpoint hardening more important for Australian businesses in 2026 than at any previous point.

1. Attackers Are Exploiting ‘Living off the Land’ Techniques

CrowdStrike’s 2026 Global Threat Report reveals that malware-free attacks now account for 82% of all cyber incidents — up from 40% in 2019. Attackers have shifted away from traditional malware (which EDR and antivirus can detect) toward ‘Living off the Land’ (LotL) techniques: abusing legitimate, built-in Windows tools like PowerShell, WMI, PsExec, and Remote Desktop Protocol to move through environments without ever dropping a malicious file.

This shift makes endpoint hardening dramatically more impactful than EDR alone. If PowerShell execution is constrained, if admin rights are removed from standard users, if RDP is blocked or requires MFA, and if unnecessary services are disabled — the attacker’s toolkit shrinks significantly. Hardening directly addresses the attack vectors LotL techniques depend on.

2. The Hybrid Work Endpoint Has Exploded the Attack Surface

Australian businesses now have endpoints connecting from home networks, coffee shops, hotels, and client sites — often on devices shared with family members, connected to insecure routers, and managing their own update schedules. The corporate network perimeter no longer contains or protects these devices.

An unhardened remote endpoint is particularly dangerous because it combines high data access (it authenticates into Microsoft 365, corporate VPNs, and cloud applications) with low environmental security (home network with no enterprise controls). Hardening the endpoint itself — regardless of where it connects from — is the primary security control available for remote workers.

3. Regulators and Insurers Are Starting to Check

CISA issued a specific alert in March 2026 urging organisations to harden endpoint management systems following a cyberattack exploiting misconfigured Microsoft Intune environments. The ASD’s Essential Eight framework addresses multiple endpoint hardening domains directly. And Australian cyber insurers are increasingly asking for evidence of endpoint security baselines — not just EDR deployment but actual configuration compliance.

The Core Domains of Endpoint Hardening

Endpoint hardening is not a single action — it is a programme of work across multiple security domains, each addressing different categories of attack surface. Understanding what each domain covers and why it matters is essential for prioritising your hardening efforts.

Domain 1: Operating System Configuration and Security Baselines

Every operating system ships with default settings optimised for ease of use. Security baselines — standardised, security-focused configuration sets — define what those defaults should be changed to. Microsoft publishes Security Baselines for Windows 11, Windows Server, and Microsoft 365 through its Security Compliance Toolkit. The Australian Signals Directorate publishes the ASD Blueprint for Secure Cloud, which includes specific hardening guidance for Windows environments. CIS Benchmarks provide vendor-neutral baselines across operating systems.

Key OS hardening configurations include:

• Secure Boot enforced in UEFI: prevents malicious bootloaders from loading before the operating system — a common persistence mechanism for sophisticated attackers
• Virtualisation-Based Security (VBS) enabled: includes Credential Guard (protects credential hashes in memory) and HVCI / Memory Integrity (prevents unsigned kernel code) — the two most effective controls against credential theft attacks
• Windows Firewall configured with inbound block rules: at minimum, block inbound SMB (port 445), RDP (port 3389), and WinRM (ports 5985/5986) from non-management networks — these are the three protocols most commonly abused for lateral movement
• Legacy authentication protocols disabled: NTLM, SMBv1, and NTLMv1 are legacy protocols with known weaknesses. Microsoft deprecated them for good reason — disable them
• PowerShell execution policy enforced: restrict PowerShell to Constrained Language Mode or require signed scripts — PowerShell is the most abused LotL tool in attacker toolkits
• AutoRun disabled for removable media: USB drives are a significant malware delivery vector and data exfiltration channel — auto-execution of content from removable media should be disabled across all endpoints

Microsoft Intune and Group Policy are the primary tools for deploying OS hardening baselines at scale in Australian SMB environments. Intune’s security baselines provide pre-built, Microsoft-recommended configuration sets that can be deployed in hours — significantly lower effort than building custom policies from scratch.

Domain 2: Local Administrator Rights and Privilege Management

Local administrator rights — the ability to install software, change system settings, and modify security configurations — are the single most impactful endpoint hardening control. When a standard user’s account is compromised, the attacker inherits the permissions of that account. If every user is a local administrator, every phishing email that successfully steals a credential gives the attacker full control of that device.

The ASD Essential Eight’s Restrict Administrative Privileges control (Control 5) addresses this directly — and it is the most frequently failed control in Australian SMB security assessments. Removing local admin rights from standard users is the most impactful single hardening action you can take, and it costs nothing beyond the configuration change.

Key privilege hardening actions:

• Remove local administrator rights from all standard users: users can install approved software through managed channels; they do not need admin rights for day-to-day work
• Deploy Windows LAPS (Local Administrator Password Solution): automatically manages unique, rotating local administrator passwords for every endpoint — preventing the ‘one password for all machines’ vulnerability where a compromised local admin account provides access to every device with the same password
• Separate privileged accounts from daily-use accounts: IT staff who need administrative access use a dedicated admin account only for those tasks — they do not browse the web or read email logged in as an admin
• Implement Privileged Identity Management (PIM): use Microsoft Entra ID PIM to provide just-in-time privilege elevation with approval workflows and automatic expiry — admin access is granted for specific tasks and revoked automatically
• Audit and clean up local admin group membership: many environments accumulate service accounts, vendor accounts, and legacy IT accounts with admin rights that are no longer needed — quarterly access reviews identify and remove these

Domain 3: Patch Management

Unpatched vulnerabilities are the second most common technical factor in data breaches, after credential theft. The ASD Essential Eight’s Patch Applications (Control 2) and Patch Operating Systems (Control 6) controls define specific patching timelines: 14 days for standard vulnerabilities at Maturity Level 2, and 48 hours for actively exploited vulnerabilities. Most Australian SMBs fall significantly short of these timelines — particularly for third-party applications outside the Microsoft ecosystem.

Effective endpoint patch management requires:

• Centralised patch management tooling: Microsoft Intune with Windows Update for Business, or a dedicated RMM platform — manually updating endpoints is not scalable and creates inevitable gaps
• Third-party application patching: browsers, PDF readers, Java, Adobe products, VLC, 7-Zip, and similar applications are heavily targeted but often excluded from patch programmes. They must be included
• Patch compliance reporting: visibility into what is and isn’t patched across every endpoint — not just aggregate statistics, but per-device compliance status with identification of specific devices and missing patches
• End-of-life OS detection and remediation: devices running unsupported operating systems are unresolvably vulnerable — Windows 10 reached end of support in October 2025. See our Windows 10 end-of-life checklist for the migration path
• Emergency patching process: a documented procedure for deploying patches within 48 hours when CISA or ASD adds a vulnerability to the Known Exploited Vulnerabilities catalogue — the standard monthly patch cycle is too slow for critical, actively exploited flaws

Domain 4: Encryption

An unencrypted laptop is a data breach waiting to happen. When a device is lost or stolen, full disk encryption is the only control that makes the data on that device inaccessible to whoever finds it. The ASD and the OAIC both recognise encryption as a key ‘reasonable step’ under the Privacy Act 1988 — making full disk encryption not just a security control but a legal compliance measure.

Under the Notifiable Data Breaches scheme, if an encrypted device is lost or stolen and the encryption key is not compromised, the incident may not constitute an eligible data breach — because the risk of serious harm has been eliminated through the encryption. This makes BitLocker or FileVault deployment potentially the difference between a reportable breach and a non-event

• BitLocker on all Windows devices: deploy with XTS-AES 256-bit encryption, recovery keys escrowed to Microsoft Entra ID for centralised management, and silent encryption enabled so users are not interrupted
• FileVault on all macOS devices: deploy and manage through Intune or Jamf — same principle as BitLocker
• Encrypted USB policies: if removable media is permitted in your environment, require that it be encrypted — or disable USB storage entirely through Intune device restrictions
• TPM verification: ensure BitLocker is linked to the device’s TPM chip — this binds encryption to the specific hardware so that removing the drive and reading it in another device does not bypass protection

Domain 5: Application Control

Application control — allowing only approved applications to run and blocking everything else — is one of the most powerful endpoint hardening controls available and the first of the ASD Essential Eight’s controls. If an attacker lands malware on a hardened endpoint with application control enforced, the malware cannot execute because it is not on the approved list.

The two primary application control technologies in Windows environments are Windows Defender Application Control (WDAC) and AppLocker. Microsoft recommends WDAC for new deployments — it is more robust, operates at the kernel level, and is significantly harder to bypass than AppLocker. Both are managed through Microsoft Intune.

Implementation approach for SMBs:

• Start in audit mode: deploy WDAC in audit mode first — this logs what would be blocked without actually blocking it. Review the audit logs for 2–4 weeks to understand your application inventory before moving to enforcement
• Build an allowlist from actual usage: use the audit period data to build a list of all legitimate applications in your environment — not what you think is installed, but what is actually running
• Apply Microsoft’s recommended blocklist: Microsoft publishes a list of known-malicious and dual-use tools that should be blocked regardless of allowlist — apply this as your baseline block configuration
• Move to enforcement in phases: enforce application control on a pilot group first, resolve any false positives (legitimate apps being blocked), then roll out to the full environment
• Integrate with software deployment: use Intune or your software deployment tool as the authorised mechanism for installing approved applications — this creates a natural audit trail of what should be on the allowlist

Domain 6: Attack Surface Reduction (ASR) Rules

Microsoft Defender for Endpoint’s Attack Surface Reduction rules are a set of policies that block specific techniques attackers use most commonly — Office macros spawning child processes, scripts downloading executables, credential theft from LSASS memory, and ransomware-style mass file encryption. They are one of the highest-impact hardening controls available in Windows environments and are included at no additional cost in Microsoft Defender for Endpoint and Microsoft 365 Business Premium.

Key ASR rules that every Australian SMB should enable:

• Block Office applications from creating child processes: prevents macro-enabled documents from launching PowerShell, cmd, or other processes — the primary delivery mechanism for many Australian malware campaigns
• Block executable content from email client and webmail: prevents malicious attachments from executing directly from email clients
• Block credential stealing from LSASS: prevents credential dumping tools like Mimikatz from reading password hashes from memory — one of the most common privilege escalation techniques after initial compromise
• Use advanced protection against ransomware: detects and blocks ransomware-like behaviour — mass file encryption across directories
• Block abuse of exploited vulnerable signed drivers: prevents attackers from using legitimate but vulnerable signed drivers to bypass security controls — a technique increasingly used in sophisticated attacks

Like application control, deploy ASR rules in audit mode first to identify any legitimate business processes that may be flagged, then move to block mode. Microsoft’s guidance recommends phased deployment: high-confidence rules to enforcement first, then progressively tighten as false positives are resolved.

Domain 7: Browser and Application Hardening

Web browsers are the most common daily-use attack surface for end users — and browser vulnerabilities, malicious advertisements, and drive-by downloads are significant threat vectors. Browser hardening closes the most common browser-based attack paths, while application hardening ensures that other user-facing applications don’t provide attackers with a foothold.

• Enforce browser updates: managed browsers (Edge, Chrome deployed via Intune) should update automatically — outdated browsers with known vulnerabilities are a common attack vector
• Configure Microsoft Office macro settings: macros should be disabled for all users who do not have a documented business requirement, and restricted to digitally signed macros from trusted publishers for those who do — this is ASD Essential Eight Control 3
• Disable Java in browsers: Java browser plugins are deprecated, insecure, and should be blocked via group policy
• Block web advertisements via DNS filtering: malvertising — malicious code delivered through advertising networks — is a significant browser-based infection vector. DNS filtering blocks connections to known malicious ad networks before the connection is made
• Restrict PowerShell and script execution: PowerShell should be configured in Constrained Language Mode for standard users, preventing execution of arbitrary scripts while preserving legitimate administrative use through separate managed accounts
• Remove deprecated applications: Internet Explorer is fully deprecated but found running in many Australian business environments. Flash Player, old Java versions, and similar legacy applications should be removed entirely

Domain 8: Device Management and Compliance Enforcement

Endpoint hardening is only effective if the hardening stays in place. Without centralised management and compliance enforcement, configuration drift is inevitable — users change settings, software is installed that rolls back hardening configurations, and new devices join the environment without the hardening baseline applied. Unified Endpoint Management (UEM) through Microsoft Intune is the mechanism that makes endpoint hardening persistent and scalable.

• Enrol all devices in Microsoft Intune: every device that accesses business data must be managed — unmanaged devices (BYOD, contractor laptops, newly purchased hardware) should be blocked from accessing corporate resources through Conditional Access policies
• Deploy security baseline policies: apply Microsoft’s published security baselines through Intune — they automatically configure hundreds of hardening settings that would take weeks to implement manually
• Enforce compliance policies: define what a ‘compliant’ device looks like — BitLocker enabled, EDR agent running, OS patched within X days, no known vulnerabilities above a severity threshold — and block non-compliant devices from accessing sensitive resources
• Require device compliance for Conditional Access: integrate Intune compliance status with Microsoft Entra ID Conditional Access policies so that only compliant, enrolled devices can authenticate to Microsoft 365, cloud applications, and corporate VPN
• Configure tamper protection: prevent users and processes from disabling security settings — Defender tamper protection ensures that local users or malware cannot turn off real-time protection or clear security logs

Domain 9: Mobile Device Hardening

Mobile devices are frequently the weakest endpoint in Australian business environments — partially because they are treated as personal devices even when used for business data, and partially because mobile hardening is less operationally mature than PC hardening. But a compromised mobile device with access to corporate email and Microsoft 365 is as dangerous as a compromised laptop

• Enrol corporate mobile devices in Intune Mobile Device Management (MDM): corporate-owned iPhones and Android devices should be fully managed — with the ability to enforce encryption, PIN requirements, and remote wipe
• Configure Intune App Protection Policies for BYOD: for personally owned devices that access corporate email and documents, App Protection Policies (MAM) create a managed container for corporate data without requiring full device management — corporate data can be wiped from the app without affecting personal data
• Enforce PIN, biometric, or password authentication: prevent access to corporate apps without device authentication — TouchID, FaceID, or a minimum 6-digit PIN
• Block jailbroken and rooted devices: Intune compliance policies can detect and block jailbroken iOS and rooted Android devices from accessing corporate resources — jailbroken devices have their OS security controls disabled
• Enable remote wipe capability: ensure the ability to remotely wipe corporate data from a device if it is lost, stolen, or the employee leaves — this is a critical data breach prevention control

Domain 10: Server-Specific Hardening

Servers — particularly domain controllers, file servers, and application servers — require stricter hardening than workstations because they are higher-value targets and more persistent attack victims. A compromised domain controller gives an attacker control over the entire Windows environment. Server hardening builds on all workstation hardening domains but adds server-specific controls:

• Disable unnecessary server roles and features: a file server doesn’t need IIS installed; a web server doesn’t need the DNS role. Every enabled service is a potential attack vector — disable what isn’t used
• Restrict Remote Desktop Protocol (RDP): RDP should not be accessible from the internet or from standard user workstations. If RDP is required for administration, restrict access to the management VLAN and require MFA through a jump server or Azure Bastion
• Enable Enhanced Security Configuration in Windows Server: IE ESC reduces browser-based attack surface on servers — servers should not be used for general internet browsing
• Configure Windows Defender Firewall with Advanced Security: block all inbound traffic not explicitly required for the server’s function — default deny with specific allow rules
• Audit and restrict service account permissions: service accounts should have the minimum permissions required, should never be used for interactive logon, and should have their passwords rotated regularly
• Enable comprehensive audit logging: servers should log logon events, privilege escalations, account management changes, and object access. Logs should be forwarded to a centralised SIEM and protected from modification

How Endpoint Hardening Maps to the ASD Essential Eight

The ASD Essential Eight is Australia’s primary cybersecurity framework, and endpoint hardening is not peripheral to it — endpoint hardening is the mechanism through which the majority of Essential Eight controls are implemented and maintained.

This means that a business implementing endpoint hardening systematically — across all ten domains — is simultaneously making significant progress toward Essential Eight Maturity Level 2. The technical work is largely the same; the difference is adding governance documentation, management reviews, and formal assessment against the ASD maturity model. Our Essential Eight checklist maps these technical controls to the specific maturity level requirements.

�� Case Study: How an Adelaide Professional Services Firm Stopped a Credential-Based Attack — Because of Endpoint Hardening

The Situation

A 38-person Adelaide accounting and business advisory firm had engaged CodeHyper four months earlier to implement a phased endpoint hardening programme. At the time of the incident, six of the ten hardening domains had been implemented: OS security baselines, local admin removal (with LAPS), BitLocker encryption, ASR rules deployment, Intune compliance enforcement, and patch management automation. Application control and full mobile device hardening were still in progress.

The Attack

A senior partner received a convincing spear-phishing email purporting to be from the firm’s cloud accounting platform, requesting re-authentication. The partner clicked the link and entered their Microsoft 365 credentials into a phishing proxy site. Within minutes, the attacker had valid, current credentials for a senior partner account — including access to the firm’s SharePoint, Teams, and OneDrive environments.

The attacker authenticated to Microsoft 365 (MFA was enforced — the attacker prompted an MFA push notification and the partner, confused, approved it, believing it was a legitimate session). With authenticated access, the attacker then attempted to deploy a PowerShell script via a malicious Teams message to a workstation logged into the partner’s account — a classic LotL lateral movement technique designed to establish a foothold on the endpoint and begin reconnaissance.

Why the Attack Was Stopped

The PowerShell script execution attempt was blocked by ASR Rule: ‘Block Office applications from creating child processes’ — because the delivery mechanism involved a Teams notification attempting to execute a script. More critically, the attacker’s follow-up attempt to escalate privileges on the endpoint was stopped by the absence of local administrator rights. The partner account had no local admin rights on their workstation — so even with full Microsoft 365 credentials and an active session, the attacker could not install software, modify system settings, or execute privileged processes.

Microsoft Defender for Endpoint flagged the suspicious PowerShell execution attempt and isolated the affected workstation automatically within 8 minutes. The EDR alert was escalated to CodeHyper’s monitoring team, who initiated incident response within 22 minutes of the initial detection.

The Outcomes

The post-incident review identified that the MFA approval by the partner — approving a push notification they didn’t initiate — represented a process failure, not a technical one. Following the incident, the firm migrated privileged accounts to FIDO2 phishing-resistant MFA (hardware security keys), which cannot be approved through social engineering. The remaining four hardening domains were accelerated to completion within 30 days of the incident.

“We did everything we thought was right — we had MFA, we had EDR, we had decent patching. What we hadn’t done was remove admin rights and implement ASR rules. Those two things, worth maybe half a day of configuration work, are the reason we’re talking about a near-miss rather than a disaster.”  — Managing Partner, Adelaide Accounting Firm

�� Free Download: The CodeHyper Endpoint Hardening Checklist

To support your hardening programme, we have prepared a comprehensive Endpoint Hardening Checklist covering all 10 hardening domains covered in this guide — formatted as an actionable Google Doc that your IT team can work through, assign to owners, and track progress against.

Request the Free Endpoint Hardening Checklist →

5 Endpoint Hardening Mistakes That Undermine All Your Other Security Investments

1. Hardening New Devices but Ignoring Existing Ones

Many organisations apply hardening baselines to newly enrolled devices but never retroactively apply them to existing devices that joined the environment before baselines were implemented. The result: a growing gap between new devices that are hardened and legacy devices that are not. Attackers consistently target the weakest device. Use Intune compliance reports to identify non-compliant devices and remediate them systematically.

2. Deploying ASR Rules Without Audit Mode Testing

ASR rules in enforcement mode can block legitimate business applications if deployed without testing. A common scenario is blocking Office macros that drive legitimate business workflows — like Excel-based reporting tools or Access database applications. Always deploy ASR rules in audit mode first, review the logs, resolve false positives, then move to enforcement. Skipping the audit phase is the fastest way to create a P1 incident on your first day of enforcement.

3. Treating Hardening as a One-Time Project

Endpoint hardening is not a project — it is a continuous operational discipline. Environments change: new devices are enrolled, applications are installed, settings drift over time as users and processes modify configurations. Without compliance monitoring through Intune and regular reviews, your hardening posture degrades. Hardening is only as strong as your ability to maintain it.

4. Hardening Workstations but Neglecting Servers

Workstation hardening is visible and operationally relevant — users notice changes to their devices. Server hardening is less visible but more critical: servers are higher-value targets with more persistent access, often hold more sensitive data, and a compromise of a domain controller is effectively a total environment compromise. Server hardening must be part of the programme, not an afterthought.

5. Confusing Policy Deployment with Policy Compliance

Pushing a hardening policy from Intune does not guarantee it is enforced on every device. Devices that are offline when policies are deployed, devices with connectivity issues, and devices that are excluded from policy scope may never receive the hardening configuration. Compliance reporting — not just deployment confirmation — is how you verify that hardening is actually in place. Review Intune compliance dashboards regularly and investigate any device that falls below your compliance threshold.

Soft Defaults Are a Business Risk. Hardening Is the Fix.

The configurations that ship with Windows, mobile devices, and business applications were designed to make setup fast — not to protect against the attack techniques that Australian businesses face in 2026. Every unhardened endpoint in your environment is a soft default waiting to be exploited.

Endpoint hardening doesn’t require a large budget or a dedicated security team. It requires systematic attention to configuration — and for most Australian SMBs running Microsoft environments, the tools are already included in the Microsoft 365 Business Premium licences they are likely already paying for. The gap is not tooling. It is application.

At CodeHyper, we design and implement endpoint hardening programmes for Australian businesses — from initial baseline deployment through compliance monitoring, patch management automation, and ongoing maintenance. Our managed cybersecurity services include endpoint hardening as a core component, aligned to the ASD Essential Eight and configured to satisfy cyber insurance underwriting requirements.

Download our free Endpoint Hardening Checklist, or contact us today for a no-obligation endpoint security assessment of your current environment.

Frequently Asked Questions: Endpoint Hardening

What is endpoint hardening?

Endpoint hardening is the process of securing computing devices — workstations, laptops, servers, and mobile devices — by reducing their attack surface: the sum total of all the ways an attacker could potentially compromise or exploit the device. It involves changing default OS and application settings, removing unnecessary services and features, enforcing encryption, restricting privileges, and deploying protective controls like application allowlisting and attack surface reduction rules.

Why do endpoints need hardening if I already have antivirus and EDR?

Antivirus and EDR are detective controls — they identify and respond to threats that are actively executing. Endpoint hardening is a preventive control — it reduces the attack surface so attacks are less likely to succeed in the first place. EDR without hardening generates a constant stream of preventable alerts. Hardening without EDR leaves you blind to what does get through. Both are required. As CrowdStrike’s 2026 data shows, 82% of attacks are now malware-free, using legitimate system tools — making EDR alone insufficient and hardening (particularly ASR rules and PowerShell restrictions) increasingly critical. See our EDR vs antivirus guide for the full comparison.

What is attack surface reduction (ASR) and how does it differ from other hardening controls?

Attack Surface Reduction (ASR) is a specific set of policy rules in Microsoft Defender for Endpoint that block the specific techniques attackers use most commonly — Office applications spawning child processes, credential theft from LSASS memory, ransomware-like file encryption behaviour, and script-based attacks. Unlike OS security baselines (which configure general settings) or application control (which manages what applications can run), ASR rules target specific attacker techniques at the behaviour level. They are one of the highest-impact hardening controls available in Windows environments.

Is endpoint hardening relevant to the ASD Essential Eight?

Endpoint hardening is the primary technical mechanism through which the ASD Essential Eight’s first six controls are implemented. Application Control (E8 Control 1), Patch Applications (2), Configure Macro Settings (3), User Application Hardening (4), Restrict Administrative Privileges (5), and Patch Operating Systems (6) are all implemented through endpoint hardening actions — WDAC/AppLocker, patch management policies, macro controls, browser hardening, local admin removal, and OS patching via Intune. A comprehensive endpoint hardening programme simultaneously progresses Essential Eight maturity across multiple controls.

Does removing local admin rights break things for users?

For most users in most environments, removing local admin rights causes minimal disruption. The common concern is that users will not be able to install software — but this is also the desired outcome from a security perspective. Software should be installed through managed channels (Intune app deployment) rather than by individual users. Some legacy applications that require admin rights to run will need to be identified and addressed — but these are typically rare and manageable. The security benefit of removing local admin rights — eliminating an entire class of privilege escalation attacks — far outweighs the operational adjustment required.

What is Windows LAPS and why is it important?

Windows LAPS (Local Administrator Password Solution) automatically manages unique, regularly rotating passwords for the built-in local administrator account on every Windows device. Without LAPS, many organisations use the same local administrator password across all devices — meaning that a single compromised local admin credential provides access to every machine with that password. LAPS eliminates this by ensuring each device has a unique password that only domain administrators can retrieve, and that rotates automatically on a defined schedule.

How does BitLocker relate to the Notifiable Data Breaches scheme?

Under Australia’s NDB scheme, if a device containing personal information is lost or stolen, the incident may constitute a notifiable data breach if it is likely to result in serious harm to individuals. However, if the device is encrypted with BitLocker (or FileVault on macOS) and the encryption key is not compromised, the OAIC recognises that the risk of harm may be eliminated — potentially removing the notification obligation. Full disk encryption is therefore not just a security control but a data breach response prevention measure that can determine whether a lost device becomes a regulatory incident or a non-event.

What tools are used to implement endpoint hardening for Microsoft 365 businesses?

For Australian businesses using Microsoft 365, the primary endpoint hardening tools are: Microsoft Intune (MDM/UEM platform for deploying and enforcing hardening policies across Windows, macOS, iOS, and Android), Microsoft Entra ID (identity platform with Conditional Access for device compliance enforcement), Microsoft Defender for Endpoint (EDR with integrated ASR rules, attack surface reduction, and tamper protection), and Microsoft Defender for Business (SMB-tier Defender for Endpoint). These are all included or available as add-ons within Microsoft 365 Business Premium, which is the recommended licence tier for Australian SMBs requiring comprehensive endpoint security.

How long does it take to harden an endpoint environment?

For a typical Australian SMB with 20–100 devices running Microsoft 365 Business Premium, deploying a foundational hardening baseline — OS security baselines, BitLocker, local admin removal, ASR rules, and patch management automation — takes 2–4 weeks. Full implementation across all 10 hardening domains, including application control and mobile device management, typically requires 6–12 weeks depending on environment complexity, legacy application dependencies, and the need for testing and change management.

How do I get an endpoint hardening assessment for my business?

A professional endpoint hardening assessment reviews your current endpoint configurations against best-practice hardening baselines, identifies gaps and their risk severity, and produces a prioritised remediation roadmap. CodeHyper conducts endpoint hardening assessments for Australian businesses as a standalone engagement or as part of a broader managed cybersecurity engagement. Contact us today to discuss your environment and what a hardening assessment would involve — or request our free Endpoint Hardening Checklist to start your self-assessment.