Secure Configuration Baseline for Canadian Organizations — Baseline Control BC.4

What Secure Configuration Means

Secure configuration is the practice of setting up hardware, software, and network devices with security in mind from the start — changing default settings, disabling unnecessary features, and enabling built-in security controls. The Canadian Centre for Cyber Security (CCCS) designates secure configuration as BC.4 in its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). Most devices and software ship with default settings optimized for ease of use rather than security, which means out-of-the-box configurations often leave unnecessary services running, use default credentials, and have security features turned off.

This page summarizes what the CCCS recommends for secure configuration. It is educational content based on publicly available government guidance and is not professional cybersecurity advice. For your specific situation, consult a qualified professional. You can also take our free assessment to evaluate your organization across all 13 controls.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations apply secure configurations to all hardware and software before deployment. This includes workstations, servers, mobile devices, network equipment, cloud services, and applications. The guidance covers several core practices:

Change Default Credentials

One of the most fundamental secure configuration steps is changing default usernames and passwords on all devices and applications. Default credentials are widely known and publicly documented — they are among the first things attackers try. The CCCS recommends changing defaults on:

• Network routers and switches
• Wireless access points
• Firewalls
• Printers and multifunction devices
• Network-attached storage (NAS) devices
• Web applications and content management systems
• Any software that ships with a default admin account

Replace default passwords with strong, unique passwords following CCCS password guidance. Where possible, rename or disable default administrator accounts as well.

Disable Unnecessary Services and Features

Every running service, open port, and enabled feature represents a potential attack surface. The CCCS recommends disabling or removing any services, protocols, ports, and software components that are not required for the device's intended function. This principle — often called "least functionality" — reduces the number of potential entry points an attacker can exploit.

Common examples include:

• Disabling remote desktop services on workstations that do not need remote access
• Turning off file sharing on devices that do not need to share files
• Removing or disabling unused browser plugins and extensions
• Disabling Bluetooth, NFC, or other connectivity features when not in use
• Removing trial software and bloatware that comes pre-installed on new devices

Enable Built-In Security Features

Most operating systems and applications include security features that are sometimes disabled by default or not configured optimally. The CCCS recommends reviewing and enabling:

• Host-based firewalls — Enable the built-in firewall on every workstation and server (e.g., Windows Firewall, macOS firewall).
• Disk encryption — Enable full-disk encryption (BitLocker on Windows, FileVault on macOS) to protect data if a device is lost or stolen.
• Screen lock — Configure automatic screen lock after a period of inactivity.
• Audit logging — Enable logging on systems and applications to support incident detection and investigation.

Hardening Guidelines: CIS Benchmarks

The Center for Internet Security (CIS) publishes free, detailed configuration guides known as CIS Benchmarks for a wide range of operating systems, applications, cloud platforms, and network devices. These benchmarks provide specific, actionable configuration recommendations developed through consensus among cybersecurity professionals. The CCCS recognizes CIS Benchmarks as a reputable source of hardening guidance.

CIS Benchmarks are available for common platforms including:

• Windows 10, Windows 11, and Windows Server
• macOS
• Ubuntu, Red Hat Enterprise Linux, and other Linux distributions
• Microsoft 365 and Google Workspace
• Amazon Web Services, Microsoft Azure, and Google Cloud Platform
• Network devices from Cisco, Palo Alto, and other vendors

CIS Benchmarks can be downloaded at no cost from the CIS website.

Configuration Management

The CCCS recommends documenting your organization's standard secure configurations and applying them consistently to all devices. Configuration management ensures that:

• New devices are set up with the same baseline security settings
• Configuration changes are tracked and authorized
• Deviations from the baseline can be identified and corrected
• Systems can be rebuilt to a known-good state after an incident

Why This Matters for Canadian Businesses

Default and misconfigured settings are a leading cause of security incidents. Attackers routinely scan for systems with default credentials, unnecessary services exposed to the internet, and security features left disabled. For Canadian SMBs, insecure configurations can lead to:

• Unauthorized access — Default credentials on routers, applications, or cloud services allow attackers to log in without any exploitation, simply using widely available default username and password lists.
• Lateral movement — Unnecessary services and overly permissive configurations allow attackers who gain initial access to move through your network and access additional systems.
• Data exposure — Misconfigured cloud storage, file shares, or databases can expose sensitive information to the internet without the organization's knowledge.
• Compliance gaps — Organizations subject to privacy legislation (PIPEDA, provincial privacy laws) are expected to implement reasonable security safeguards. Default configurations generally do not meet this standard.

Secure configuration works in concert with patch management (BC.2) — patching addresses vulnerabilities in the software itself, while secure configuration eliminates weaknesses introduced by how the software is set up. Combined with proper authentication (BC.5) and access control (BC.12), secure configuration significantly reduces your organization's attack surface.

How to Get Started

Implementing secure configuration is an incremental process. Start with the highest-impact changes and build from there:

• Change all default passwords immediately. Survey every device and application in your organization — routers, wireless access points, printers, NAS devices, web applications — and change any default credentials. Use strong, unique passwords for each device.
• Enable host-based firewalls. Verify that the built-in firewall is enabled on every workstation and server. On Windows, this means ensuring Windows Firewall is on and configured appropriately. On macOS, enable the application firewall in System Settings.
• Enable disk encryption. Turn on BitLocker (Windows) or FileVault (macOS) on all laptops. This protects data if a device is lost or stolen. Most modern systems handle encryption with no noticeable performance impact.
• Disable unnecessary services. Review what services are running on your workstations and servers. Disable remote desktop on machines that do not need it. Turn off file sharing where it is not required. Remove unused software and browser extensions.
• Create a baseline configuration checklist. Document the standard security settings for each type of device in your organization (e.g., workstation, laptop, server, router). Use this checklist when setting up new devices.
• Review CIS Benchmarks for your platforms. Download the relevant CIS Benchmarks for your operating systems and key applications. You do not need to implement every recommendation — focus on Level 1 (basic) recommendations first, which provide strong security with minimal operational impact.
• Use centralized management where feasible. In Windows environments, Group Policy can enforce configuration settings across all domain-joined computers. Microsoft Intune or similar tools can manage both domain-joined and cloud-managed devices. For smaller organizations, a documented manual checklist applied consistently is a good starting point.
• Review cloud service configurations. If you use Microsoft 365, Google Workspace, or cloud infrastructure services, review their security settings. Enable MFA, review sharing settings, and disable features you do not use.

To evaluate your secure configuration practices alongside the other 12 baseline controls, take the free assessment.

Common Mistakes to Avoid

Based on the CCCS guidance and common observations in Canadian organizations, here are frequent secure configuration mistakes:

• Leaving default credentials in place. This remains one of the most common security gaps. Default credentials for most devices are publicly available and are among the first things attackers check.
• Assuming "out of the box" is secure. Vendors optimize default settings for ease of setup and broad compatibility, not for security. Every new device or application should be hardened before being put into production use.
• Enabling everything "just in case." Running services and features that are not needed increases your attack surface with no benefit. If a feature is not actively used, disable it. It can always be re-enabled if needed later.
• Inconsistent configurations across devices. When each device is configured differently, it becomes difficult to manage security effectively and to troubleshoot issues. Standardize on a baseline configuration for each device type.
• Forgetting about network equipment. Routers, switches, and wireless access points are frequently left with default configurations and rarely reviewed after initial setup. These devices control network traffic and are high-value targets for attackers.
• Not reviewing cloud service settings. Cloud platforms like Microsoft 365 and Google Workspace have many security-relevant settings that default to permissive configurations. External sharing, guest access, and legacy authentication protocols should all be reviewed.

Frequently Asked Questions

See below for answers to common questions about secure configuration for Canadian organizations. For a comprehensive evaluation, take our free cybersecurity assessment.