Security Hardening Windows 7 64 bit install

Just wondering what are some tips to harden a windows 7 ultimate install. Disable superfetch and hibernation? Disable anonymous login? Encrypt the page file?

Tell me.

 

I would be more than happy to help. Though I want to make sure I give you relevant information.. I can lock your machine down to NSA specifications, or give you some simple tips. How far down the rabbit hole are you willing to go?

 

I vote for NSA!

 

NSA please, down the rabbit hole we go.

 

As I was typing this I tried to keep the scope down to a single local user (For my own sanity), I also made a few assumptions on the hardware of your machine, example I assume your computer has only one hard drive and the entire drive is partitioned down for Windows only. I also assumed you trust your LAN and have not covered locking down the network configurations of your windows machine as detailed as I could.

This reply will give you a quick run-down of simple steps to further harden your OS. With section 6, I will list configured baselines for windows 7 that will need to be modified using the group policy editor. The baselines will include a slightly modified 2012 SSLF recommendations.

I will be throwing a lot at you, you do not have to enable all these recommendations, and you can also opt to enable none as they are to give you general guidance and disabling some options could hinder your day to day use.

**Before I start would like to say you can opt for the most effective hardening method currently, and that is to utilize complete virtualization with your Windows OS if you have the hardware to support it. Any unwanted changes or infections can be eradicated with a click of a button. – My two cents**

Quick Note

Ideally when you begin to harden your operating system you should start with a clean installation of the system. You can perform the following steps below on an already established system; however if it has been compromised these steps will not help.

Section 1 Physical Security

Just as hardening the OS itself is important, you want to limit the means someone can access information on the storage medium the OS resides.

Configure the BIOS to disable booting from CDs/DVDs, floppies (Remember those?), and external devices, and set a password to protect these settings. This will be BIOS specific I can give more information if you do provide me with your hardware.

Perform a full disk encryption of your hard disk. Two popular solutions to perform this task for windows are Truecrypt or Bitlocker. It is important you use a passphrase of at least 15+ characters. Additionally once you have FDE (Full disk encryption) completed, keep in mind when the machine is powered on it is running in an unencrypted state. Therefor when your machine is not in use, it is advised you power down the machine.

Section 2 Access Control

It is important you maintain a tight grasp on what user accounts have access to your windows system and the permissions these accounts will have. A good standard is to deploy under a least privilege rule set. This means you limit and restrict the permissions and access to the least amount needed to perform tasks.

Disable or remove non-user accounts

1)Start > search bar> lusrmgr.msc
2) Go to: Users
3) Disable or remove all Accounts that you do not use (Make sure to look up accounts you are unsure about)

(Verify the default administrator and guest accounts are disabled) They should be by default with windows 7.

Now establish another admin account and set your main account to limited:

In Control Panel, open User Accounts, click Create a new account and make a new account, you can call it what you wish (No_ScriptAdmin for example), make sure you add it to the admin local group. Finally use a strong passphrase for this account.

Next go back to the user accounts screen under control panel and change your main account to standard user. The idea here is you will use your limited account for day to day use and click run as administrator when you need to install or modify settings, at which time you will enter your passphrase to continue.

Optional Step 1: You can additionally choose to rename the default administrator and guest accounts to further mitigate risk. These accounts represent a security risk because knowing the names of the accounts on a Windows 7 OS is the first step to hacking it remotely. Not knowing the names of the accounts makes it that much harder for a hacker to execute an attack.

Optional Step 2 (Highly Recommended) Require Ctrl-Alt-Del for elevation to Admin

Section 3 Application Security

I would advise you to deploy applocker for windows 7 (If supported)

It replaces Software Restriction Policy (SRP) and provides greater
flexibility to govern which applications are allowed to run and from which locations. AppLocker provides a simple and powerful structure through two rule actions: allow and deny. It also provides a means to identify exceptions to those actions. Allow action on rules limits execution of applications to an allowed list of applications and blocks. I would advise you go in with an allowed whitelist. Again following a default deny mindset.

If you do not want to use Applocker you can set up software restriction policies (SRP) though they require a bit more to maintain:
1. Log on with an Administrator account. Type gpedit.msc into the Run or Search box on your Start menu, click OK, and Group Policy will open.
2. Go down to Computer Configuration > Windows Settings > Security Settings, as shown in the picture below.
3. Right-click on "Software Restriction Policies" and create new policies.
4. Double-click Enforcement and set the Enforcement to cover all software files. Then apply the Software Restriction Policy to all users except local Administrators.
5. Next in the right window panel, double-click Designated File Types. A panel opens. Go down the list to LNK and click it, then click the Delete button. This adjustment allows you to use your desktop shortcuts and Quick Launch icons.
6. Finally to activate this rule set, Right-click on Disallowed under the Security Levels folder, and set it as the default security level.

Additional step if you have a x64 bit machine, Click on Additional Rules and make a new Path Rule for C:\Program Files (x86) to allow software installed in that directory to run.

Disable autoplay for removable media

1. Click Start and put gpedit.msc in the search box, then right-click on gpedit.msc when it appears above. Choose Run as administrator and Group Policy Editor opens.
2. Expand Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies and you can disable AutoPlay on all drives.

Install and configure EMET

You can find and download EMET here

Next Run EMET, and click the "Configure System" button. Make sure the following is configured:

• DEP is set to always enabled
• SEHOP is set to opt-out
• ASLR is opt-in enabled

After which you can start to add applications to EMET, select the "Configure Apps" button at the bottom of the window, and use EMET to provide extra protection to your programs. Examples:

Web browsers
Media players
PDF readers

Section 4 Network

Unless your network configuration requires it, disable IPv6. IPv6 can be disabled either through the DisabledComponents registry value or through the check box for the Internet Protocol Version 6 (TCP/IPv6) component in the list of items on the Networking tab for the properties of connections in the Network Connections folder.

If you are to use windows firewall, make sure to use the advanced security options and block both inbound and outbound connections.

For the sake of time, I have limited my network hardening to these simple steps. I will list more with the baseline.

Section 5 Backup and Recovery

Make sure you perform full daily back-ups of your system; it is good practice to deploy redundancy and diversity in these cases. Make sure you back up to a local external hard drive (With FDE) as well as another hard drive at a different location. This could be a second hard drive you own and you transport to a safe location, or a cloud environment if applicable. I personally use two external hard drives.

Section 6 SSLF Windows 7 Customized Security Baseline

All these will need to be changed using Group Policy Editor (gpedit.msc). Please note some of these options you will find you already performed above, there is a little overlap though I kept them all here for completeness.

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

Minimum password length = 15

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Interactive logon: Do not display last user name = enabled

User Account Control: Virtualize file and registry write failures to per-user locations = enabled

User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled

User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the secure desktop

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled

Shutdown: Allow system to be shut down without having to log on = enabled

Interactive logon: Do not require CTRL+ALT+DEL = disabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Bypass traverse checking = Users,Network Service,Local Service,Administrators

Allow log on locally = Administrators, Users

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\

Require trusted path for credential entry = enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon: Do not require CTRL+ALT+DEL = Disabled

Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\

Turn off Autoplay = enabled
Turn off Autoplay = All drives
Default behavior for AutoRun = Do not execute any autorun commands
Turn off Autoplay for non-volume devices = enabled

Computer Configuration\Administrative Templates\Windows Components\NetMeeting\

Disable remote Desktop Sharing = enabled

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\

Turn off the Windows Messenger Customer Experience Improvement Program = enabled
Turn off Help and Support Center "Did you know?" content = enabled
Turn off Windows Customer Experience Improvement Program = enabled

Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\

Turn off Microsoft Peer-to-Peer Networking Services = enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior

Interactive logon: Smart card removal behavior = Lock Workstation

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status

Accounts: Guest account status = Disabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account

Accounts: Rename administrator account = Not Defined
Accounts: Rename guest account = Not Defined


Computer Configuration\Administrative Templates\Windows Components\Windows Mail\

Turn off the communities features = enabled
Turn off Windows Mail application = enabled

Computer Configuration\Administrative Templates\System\Remote Assistance\

Solicited Remote Assistance = disabled

Computer Configuration\Administrative Templates\Windows Components\HomeGroup\

Prevent the computer from joining a homegroup = enabled

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\

Windows Firewall: Public: Allow unicast response = No

User Configuration\Administrative Templates\Control Panel\Personalization\

Password protect the screen saver = enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) = 0

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked

Interactive logon: Display user information when the session is locked = Enable

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the compute

System cryptography: Force strong key protection for user keys stored on the computer = Enable

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Behavior of the elevation prompt for standard users = Automatically deny elevation requests

Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges

Always install with elevated privileges = Disabled

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP

Turn off downloading of print drivers over HTTP = Enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares

Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory pagefile

Shutdown: Clear virtual memory pagefile = Enable

Section 7 Privacy hardening

Here if you wish you can disable logging events, I have listed the values that are turned on by default as of Windows 7 SP1, these can be useful to determine attack vectors or troubleshooting though if you wish you can go dark by changing the following:

(Please note you may cause some applications that rely on generating bug reports to "hang up")

Audit Policy: System: Other System Events = No Auditing
Audit Policy: Logon-Logoff: Logon = No Auditing
Audit Policy: System: Security State Change = No Auditing
Audit Policy: Logon-Logoff: Special Logon = No Auditing
Audit Policy: System: System Integrity = No Auditing
Audit Policy: Account Management: Security Group Management = No auditing
Audit Policy: Logon-Logoff: Account Lockout = No auditing
Audit Policy: Policy Change: Audit Policy Change = No auditing
Audit Policy: Policy Change: Authentication Policy Change = No auditing
Audit Policy: Logon-Logoff: Logoff= No auditing

Additional computing habits to keep in mind:

• Encrypt all data transmitted over your network. Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local area network, it should still be encrypted.
• Minimize the amount of software installed and running in order to minimize vulnerability. This should be self-explanatory, only allow software you use to run in your windows environment, uninstall and disable any programs or services that are not in use or pose a security risk.
• Enable security-enhancing software and tools whenever available. (Many of these will be touched on below)
• Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.
• Review system and application logs on a routine basis. Send logs to a separate hard drive location. This prevents intruders from easily avoiding detection by modifying the local logs.
• Never log in directly as admin, unless absolutely necessary.

 

Thanks, much of what I expected. I was fooling around with the group policies so it's good to know I was on the right track.

Anything else I should know?

 

OK I did something to Autorun and now my Apps wont work, well my cleaning apps. What do I need to change back?

 

Click this, then double click to launch the installer and run.

 

I did a system restore, I'll try and do a image restore and implement the changes.

 

1 More question how about using a VM aka VirtualBox running Linux/TOR. Anything I need to do?

 

After you install Linux and tor, update the OS then take a clean snapshot. You should revert back to this snapshot after each use. Additionally update the image as upgrades become available.

 

EB, great post. Printed. Thanks.

PD

Edit: One question: Does the Windows password 'matter'? Coming from the old XP Password Reset Disk days, I was under the impression that no matter how good, the Windows password was easily defeated in various ways? (I use TC on everything, and have for years, and always shut down, so I've never bothered to delve heavily into Windows' passwords).

 

PD that is an interesting question to answer, as given the type of situation, my response will vary. In general terms you are correct with regards to the weaknesses with windows passwords. PTH attacks and rainbow tables it can be trivial to crack depending on the type of hashing the windows client is using and the password policy in place. For a home user, I would say it is necessary to have a password enabled, but should be regarded as a wooden door instead of a steel one.

 

Thanks, kind of what I thought. I use them, and they're not words and contain upper lower, yadda, yadda...but it's less than 10 characters. I was going to change them, but I have 8 boxes including WHS 2011 and it would be a pain for (?) gain. Think I'll stay with what I've got. Thanks again.

PD

 

@ EncryptedBytes


Which hypervisor do you use and recommend? Do you run your vms in NAT or bridged mode?

Can you please elaborate on network hardening tips?

For FDE encryption, is there a way to check that the device was not tampered with if left unattended or should it be considered compromised regardless?

If you could give an overview of your setup it would be much appreciated since you are a professional. We could learn a lot here. Thanks

 

That's a great guide, do you know of a similar one for Win XP?

 

The two main hypervisors most users are familiar with are VMware and virtualbox. Both are pretty secure. The main differences between the two are cost and functionality (VMware has better 3d support and usb device compatibility). Personally I recommend virtualbox, I’ve used it on both Linux and Windows hosts it has been very stable and I have had no issues with it.

But what about security? Both hypervisors are not without their share of known vulnerabilities and exploits. As you would with any software it is important you keep your hypervisor up to date with the current versions.

To answer your question, I would suggest bridged mode with your Guest.

In terms of my current set up, I run Linux images inside a Windows 7 x64
Host used for internet browsing along with a few windows XP/7/8 images I used for software testing. My VirtualBox and images are segmented on a second hard drive and I limit their memory space on my laptop. I also have disabled sharing of any kind between host and guest. All images are reverted back to a clean state after use.

To others considering virtualization I would advise you make sure you have the hardware to run it. Running hypervisors on the same hard drive as your Host can cause significant performance decreases.

For a home user in terms of hardening from an OS perspective I would focus around the Windows Firewall.

So I didn't replicate someone else's work, Here is a great guide written by another Wilders member on how to utilize the advanced functionality of the windows firewall.

If you use the built in FW as I do, I would advise you to go through your rule sets, and prune out any services and default allows you do not need.

In terms of targeted attacks there are a million ways an adversary can grab your encryption pasword all of which do not involve your machine. Are you talking more in terms of software keyloggers? There are two ways to stop the “evil maid” type of attacks: keeping your boot partition on a flash drive you carry at all times, or using a checksum value of the boot sector and boot partition to detect changes. (Though there are things not yet published that can even beat those. ) Realistically keeping your FDE device in a secured room should be fine, if you want to keep your boot loader separate that too will work and increase your security even more.

Where I would not trust my device is leaving it unattended in a foreign country or environment hostile to my place of origin.

I can write one up. Will post it in a day or two.

 

Well sure, I understand that with a targeted attack, a password would be the least of concerns, especially if its done by a nation state. TEMPEST, microcameras or just sheer torture come to mind

Assuming that I go to a hostile country (say China) where they could use the network to implant a keylogger; can using only an untrusted vm for network access (using a guest's IP stack) and unchecking the TCP/IP boxes under the host's adapter settings ensure that the host is not reachable in any way via networking, hence its integrity is intact?

Could the network card firmware be compromised? Would a vm protect in this case since its using emulated hardware?

Yeah I was curious about stopping EvilMaid, particularly the checksum hasher technique. But since there are ways around that then never mind. Could it be through hacking the BIOS itself? Probably since nearly all of them are proprietary. I guess that there is just no way that a device that has been out of sight could be trusted then.

Oh wow, I didn't know that Windows Firewall had all these settings. Thanks for the heads up. Now for something like a network IDS, what would you recommend? Is there any point in using one if I am doing everything in a vm?

 

Are there many BIOS malware/viruses going around the blackhat community? I don't frequent those parts of the net I'm curious since I thought I had a BIOS virus the other day.

 

I think the weak password problem was a result of the "LM hash" system which was used in Windows versions prior to Vista (if you use Vista or 7 you should be OK). Newer versions use NTLMv2, which is much more secure (like Linux which uses SHA-512). The biggest problem was that "LM Hash" didn't salt the passwords. Salting makes rainbow tables impossible.

 

While there is always the risk of a flaw in the adapter itself that could case something to misbehave, I feel yes if you isolate your host you should be fine to browse with the guest. I’d also advise you to run both in LUA. Keep in mind also if you place the same safe guards in place for your guest as you would a host, it would be very difficult if not futile to get a remote spyware keylogger to successfully exploit onto a system. I know you are trying to get me to say yep this is 100% secure, or yep there is absolutely no way XYZ could ever happen. Unfortunately there is no such thing as absolute security in IT.

I would still establish firewall controls over your VM. The guest can still get compromised as would a host and could put your network at risk.

Windows Vista and 7 are still suseptable to PTH attacks. That hasn't changed.

 

There is nothing wrong with using Windows passwords - BUT -- as mentioned above they are more like screen doors than security doors. All Windows versions can easily have their SAM "cleared" or changed using numerous live CD approaches. It takes a few seconds to "adjust" a SAM and when finished you can put the original back in place and very few would ever know you where there. My .02

 

EncryptedBytes I appreciate the feedback.

For vms do you use guest tools or do you avoid them for security reasons?

 

No I do not use them as I tend to keep my Host and Guest as isolated as possible.

 

Time for a bookmark gentlemen.
*Bookmarked* THANKS!