Hardening = reduce attack surface, disable unsafe defaults, enforce baselines – without breaking operations.

• Accounts & rights: minimize admins
• Updates: OS/browser/3rd party
• Remote: VPN + MFA
• Secure config: SSH without password logins, logging enabled