Cyber Essentials
DashboardSign Out

Lesson 5.1 — Secure configuration: removing defaults, unnecessary software and risky settings

This lesson introduces the Cyber Essentials secure configuration control.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain the purpose of secure configuration
  • identify common insecure defaults
  • recognise which device and cloud categories are affected
  • create a first secure configuration review record covering unnecessary accounts
  • default passwords
  • unnecessary software

Why This Matters

It explains why default settings are often unsafe, what “secure configuration” means in practical terms, which systems it applies to, and how learners should start building a secure configuration baseline before answering the detailed questions.

The most common problems are:

  • treating secure configuration as only a Windows laptop issue;
  • forgetting servers, cloud services, mobile devices and SaaS platforms;
  • assuming default settings are safe;
  • leaving guest accounts enabled;

The Core Rule

Secure configuration means setting up devices, software and services so they only provide what is needed and do not keep unsafe defaults.

The main ideas are:

What the CE Assessor Looks For

A strong position shows:

  • each in-scope device type has a configuration standard or checklist;
  • unnecessary accounts are removed or disabled;
  • default or guessable passwords are changed;
  • unnecessary software and services are removed or disabled;
  • auto-run execution is disabled where required;
  • users must authenticate before accessing organisational data or services;

Common Mistakes

  • treating secure configuration as only a Windows laptop issue;
  • forgetting servers, cloud services, mobile devices and SaaS platforms;
  • assuming default settings are safe;
  • leaving guest accounts enabled;
  • leaving old local administrator accounts active;
  • leaving old supplier or test accounts active;

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the basic idea of secure configuration?
  • [ ] What are the two main aims of secure configuration?
  • [ ] Give three examples of insecure defaults.
  • [ ] Does secure configuration apply only to laptops?
  • [ ] Why should unnecessary software be removed?

Your Action

Do this now — it takes 10–20 minutes.

Pick one device type and check what unnecessary software or features are installed. Document what you find. Add to Section SC (Secure Configuration).

Key Takeaway

The first step is to create a secure configuration baseline review using the inventories from earlier modules.

Your Workbook Activity

Complete: Secure configuration baseline review

Next Lesson

In the next lesson: Unnecessary accounts: guest accounts, old users, local admins and supplier access

Up next

Unnecessary accounts

Identify and remove unnecessary accounts so only required users and privileges remain active.