> series: cyber_essentials_demystified —— part: 04/10 —— control: secure_configuration —— principle: remove_the_easy_wins<span class="cursor-blink">_</span>_
Secure configuration is the control that removes the low-hanging fruit — the default passwords, unnecessary accounts, pre-installed software, and enabled-but-unused services that give attackers easy entry points. It is also the control that most directly reflects the gap between deploying a system and securing a system. Every device, application, and cloud service arrives configured for convenience, not security. Secure configuration closes that gap.
During our CE Plus assessments and penetration testing engagements, misconfiguration is consistently one of the most common root causes of compromise. Not because organisations lack security tools, but because the systems they deployed were never hardened after installation. This article covers what the Danzell v3.3 requirements demand and how to prepare.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification| Requirement | What It Means in Practice |
|---|---|
| Change all default passwords | Every device, application, and cloud service in scope must have its default or manufacturer-set password changed before deployment. This includes routers, firewalls, printers, IoT devices, web application admin panels, and cloud service accounts. Passwords must be unique and meet minimum complexity requirements — or passwordless authentication (FIDO2, passkeys) may be used. |
| Remove unnecessary accounts | Default accounts — including guest accounts and built-in administrator accounts — must be disabled or removed unless there is a documented business requirement. Every active account must be attributable to a specific individual or a specific, justified service function. |
| Remove unnecessary software | Software that is not required for business operations must be uninstalled from in-scope devices. This includes pre-installed bloatware, trial software, development tools on production systems, and applications installed by previous users. Less software means fewer potential vulnerabilities. |
| Disable unnecessary services | Network services that are not required must be disabled. This includes file sharing services on devices that do not need to share files, remote desktop on devices that do not require remote access, and web servers on devices that do not serve web content. |
| Auto-lock devices | All devices must be configured to lock automatically after a defined period of inactivity — typically 15 minutes for desktops and 5 minutes for mobile devices. The lock screen must require authentication to unlock. |
Under Danzell, cloud services are formally in scope — and the secure configuration control applies to them equally. Your Microsoft 365 tenant, Google Workspace environment, CRM, accounting software, and every other cloud platform used by your organisation must be configured securely. This means default administrator accounts must be renamed or secured, unnecessary features must be disabled, and access controls must be configured appropriately.
For organisations using Microsoft 365, common cloud configuration issues include global administrator accounts without MFA, legacy authentication protocols still enabled, external sharing configured too permissively, and mailbox forwarding rules that exfiltrate data to external addresses. Our cloud configuration review service assesses your cloud tenant against security best practices and identifies misconfigurations before they become exposures.
Secure configuration preparation is primarily an audit exercise — reviewing every in-scope device and service against the requirements and remediating any gaps. Start with the devices and services most likely to have been overlooked: network devices (routers, switches, access points), peripheral devices (printers, scanners, CCTV), and cloud services that were set up quickly without security review.
For organisations that want continuous configuration monitoring rather than a point-in-time check, SOC in a Box monitors your environment 24/7 and alerts you when configurations drift from your security baseline — catching the changes that accumulate between annual assessments.
Next week, we tackle the control that has changed most under Danzell — Security Update Management. The new auto-fail criteria on questions A6.4 and A6.5 mean that patching is no longer just good practice; it is a binary pass-or-fail requirement. We cover what this means, how to implement a 14-day patching cycle, and what happens during CE Plus if your devices are not up to date.
Our <a href="/cyber-essentials/concierge">Concierge service</a> includes a pre-assessment configuration audit that identifies default passwords, unnecessary accounts, and misconfigured services across your entire estate — so you fix them before the assessment, not during it.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification