The best way to understand what device hardening and how to do it, is to follow CIS Benchmarks. This organization has developed standards for hardening different operating systems and applications to a proper level in an enterprise environment. Not only do they have step by step walk-troughs of what to look for and how to do it, they also have scripts that can check and even automate the hardening for you. As a security analyst of any level or specialty, learning the available configuration based vulnerabilities of the platforms you work with on a daily basis, is one of the most valuable things you can do to improve you skillset.
AuditScripts is another great set of tools that can perform configuration hardening audits based on different requirements, including the choice of those defined by CIS.
Security Auditing Tools
Lynis (Linux Security Auditing) - Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself.
Seatbelt (Windows Security Auditing) - Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Purple Knight - An enterprise grade Active Directory Defense solution with AD mapping, security reports, security indicators and remediation guides.
debsums - Utility for checking installed debian packages and comparing that hashes against a list of known good ones. Handy to run every once
PSPKIAudit - PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
Microsoft Attack Surface Analyzer - Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
OSChameleon - OS Fingerprint Obfuscation for modern Linux Kernels.
Active Directory Certificate Services - An often overlooked tool that should come with most Microsoft licenses, use AD certificates to sign scripts and docs made in your environment, to easily detect what is foreign. Detections, alerts, and all the fancy security tools are completely worthless, if the devices you are trying to protect are not properly hardened against the onslaught of attacks they might face day to day. Most if not all devices and even applications, in their factory fresh state, are not properly hardened for use in an enterprise environment. Many features that you might appreciate as a convenience in your home network, are actually a major vulnerability in a large scale network deployed at your company.