What Is Secure by Default?

Secure by default is a state of high protection when the factory settings of an program or operating system are left untouched, as for example when it is shipped to the consumer or reset by a user. This can provide more safety for users, but it also comes with some usability problems. Consequently, many developers do not create products that are secure by default, although they may enable as many security settings as possible in the default configuration. Users with security questions can consult user guides and other references to learn more about security in given operating systems and applications.

In a system that is secure by default, possible security holes such as open network ports and sharing are turned off. The user must actively enable them, and when doing so, may receive a warning. The settings also typically limit default privileges, to restrict the types of changes that can be made to the critical system settings. A new user just exploring a new computer program or operating system would get into minimal trouble, because the system would protect the user.

This state is not very user friendly, however, which is the tradeoff with security by default. To perform even basic actions, the user may need to switch to an account with higher permissions or go through a security nag warning to implement a change. It can also be difficult to get a network up and running or to enable sharing across a household or small office network with all the settings turned off. Users who are accustomed to plug and play systems may find secure by default settings alienating because of the number of steps they may need to go through to engage in various system activities.

It is also generally considered impossible to make a system wholly, 100% safe. As a result, a claim that a system is secure by default can create a sense of false confidence in the available user protections, which could endanger the user. Users who think they are not vulnerable to hacking, for example, may not take adequate protections. They could fail to scan for malicious software or not update their antivirus programs in the belief that their systems should be safe, and might create other security loopholes.

For usability reasons, developers typically try to balance security with other needs when they set up the default configurations for their products. These settings typically enhance security as much as possible without creating roadblocks to user comfort. The system may come with detailed instructions for users who want to increase security and change the default settings to make them more secure. It can also offer warnings to make sure users are aware of potential security problems as they explore the system.