Default settings and credentials are attributes of a device, system, or service that control their access or functionality without administrator or user intervention.
Most of the time, the users of a system don’t change (or are not even aware of) defaults; therefore, they rarely change. Additionally, they are usually not optimized for security and pose significant risks to the device, system, or service.
Most products target lay consumers. Consumers value convenience and want their things to 'just work'. Frequently, more secure configurations are likely to complicate usage, and therefore, most products are not as secure as they could be out of the box.
Most devices we purchase come with default credentials (usernames and passwords). If you ever had a hard time logging into your Wi-Fi router, you might have run a Google search and found the default credentials to get in and set up your router. The problem is that (unless you change them) attackers can do the same thing and use it to control your equipment.
While it might be extra work, we recommend that you check for (and change) the default credentials on all of the devices you put into operation. It could prevent you from falling easy prey to an attacker.
Warning | Warning Please use unique and complex credentials for each of your devices/services. |
To maximize their products' utility and convenience, vendors frequently enable most of the features and services they think consumers will want. Additionally, they will configure them in a way that will maximize their utility and compatibility with other products and services. Usually, these default settings will not be as secure as they should/could be.
In general:
Disable all services/features that you are not sure you need (or are going to use). You can always go back in and enable them later,
Dig into the settings, and see if additional security features are available.
Adjust them to make sure they work but are as secure as practically possible.
If you are particularly paranoid, you can find and use secure configurations for your systems developed by organizations that specialize in securing systems and services:
Center for Internet Security (CIS) Benchmarks are guides for configuring your systems to minimize vulnerabilities.
The United States Military (or DoD) has developed Security Technical Implementation Guides (STIGs) to secure systems and services that consumers and businesses also use.
Warning | Warning The CIS benchmarks, developed to secure mission-critical systems and services, are more strict than a typical system may need. You should adjust them to make a system as usable as you want/need it to be. |
Security and convenience usually work against each other. You will need to adjust the defaults to achieve a position that works for you and minimizes risk.