For the CompTIA A+ exam (specifically Core 1 Domain 2.0 and Core 2 Domain 2.0), Wi-Fi hardening is categorized under SOHO (Small Office/Home Office) Security.
To "harden" a connection means to move beyond default settings to a layered defense. Here is the breakdown based on the current 220-1201 and 220-1202 objectives.
1. Implement Strong Encryption (The Priority)
This is the most critical hardening step. You must know the difference between these protocols for the exam:
WPA3: The current gold standard. Uses SAE (Simultaneous Authentication of Equals) to prevent offline dictionary attacks.
WPA2 (AES): The minimum standard for modern networks. Uses AES (Advanced Encryption Standard), which is significantly more secure than the older TKIP.
Avoid WEP and WPA: These are deprecated. If you see them as options in a scenario-based question for "securing a network," they are almost always the wrong answer.
2. Change Default Credentials
Every router comes with a default username (often "admin") and password ("password" or "admin").
Hardening Action: Change the Administrator password immediately. This prevents an attacker who joins the Wi-Fi from taking full control of the hardware.
3. SSID Management
Change the Default SSID: Default names (like "Linksys" or "Netgear") reveal the hardware manufacturer, making it easier for attackers to look up specific vulnerabilities.
SSID Broadcasting: You can disable the broadcast so the network name doesn't show up in "Available Networks."
Exam Note: CompTIA acknowledges that this is "security through obscurity" and not a primary defense, as scanners can still find "hidden" networks.
4. Disable Vulnerable Features
Modern routers come with "convenience" features that are major security risks:
WPS (Wi-Fi Protected Setup): Designed to connect devices with a button press or 8-digit PIN. The PIN method is easily cracked via brute force. Recommendation: Disable WPS.
UPnP (Universal Plug and Play): Allows devices to automatically open ports in the firewall. This can allow malware to create a "hole" into your network. Recommendation: Disable UPnP.
5. Physical and Logical Isolation
Guest Network: Create a separate SSID for visitors. Ensure Intra-BSS isolation is enabled so guests cannot "see" or attack other devices on the same network, and keep them logically separated from your main business/private network.
MAC Filtering: You can create a "Whitelist" of approved MAC addresses.
Exam Note: Like SSID hiding, this is a weak defense because MAC addresses can be easily spoofed.
6. Maintenance & Updates
Firmware Updates: Manufacturers release patches for security vulnerabilities (like the Krack or Dragonblood attacks). Hardening requires checking for and applying these updates regularly.
Radio Power Levels: On some high-end SOHO routers, you can decrease the radio power so the signal doesn't leak too far into the parking lot or street, reducing the physical "attack surface."
Exam Tip: The "SOHO Scenario"
If you get a Performance-Based Question (PBQ) asking you to configure a wireless router:
Change the Admin Password first.
Set Encryption to WPA3 (or WPA2-AES if WPA3 isn't available).
Disable WPS.
Change the SSID.
