Hardening Windows 7

What are the strategies for hardening Windows 7?

UAC
configure FW to deny all with exceptions to specifics
close all useless services
EMET 2.0
Applocker
use LUA

What else?

 

Nothing else.

If you combine that hardening with the following measures, you have a rock solid and ultra light security setup:

1. using a router is a great security measure;
2. keep all your applications up-to-date;
3. use Windows Backup and Restore, make sure you have a system image (preferably on disc), make sure system restore is enabled and backup your personal and confidential files.

 

Disabling Remote registry service and Administrative shares.

 

Good steps are mentioned for getting most of the way to hardening a running system, but more needs to be done to prevent off line attacks.

Anyhow, in addition addition to whats been mentioned I do the following (incomplete list):

Use encrypted filesystem e.g. Bitlocker
Use per user encryption for user profile folders (EFS) - works with bit locker yeah !
Disable execute from user profile folders (stop execution from drive by malware).
Disable user write access to windows and program folders (reduces malware chances of changing or adding new files)
Use group policy editor to enforce strong passwords and expiry.
Use 64bit windows and make sure DEP is on for all programs.

Password protect BIOS settings, disable starting up from anything apart from boot HDD.

More extreme things:
Disable reading/writing from external drives as standard user, only allow use of encrypted removeable drives.
Apply a Windows security template.
Use HDD boot password.

Finally your system is not hardened until its proven, one mis configuration, one untested application and its all for nothing.
So do some penetration testing of your system so you know its secure and not just running off blind faith of advice from others (we make mistakes, information gets outdated as new vectors of attack are developed etc etc etc).

I know its not an easy to learn how to pen test or even practicle to do in a home settings, but making a start is better than nothing at truely knowing if your system is secure.

Cheers, Nick

 

Oh yes, and off course disabling hiding extensions for known file types in order to easily identify malware with double extensions.

 

Disabling the power button seems like a good idea sometimes.

 

Keep Windows Update enabled. Can also use Parental Controls and/or Windows Defender.

 

I have Windows 7 Ultimate and just use as admin without even using AppLocker. That program is just too big a pain - just like LUA or whatever it is. I think for me just using a DNS service and disabling js in my internet browsers does the trick- along with a light antivirus and quiet behavior monitor. My combo for that is Avast Pro and Prevx. I'm also behind a router. And UAC is enabled.

Without the PITA of LUA and AppLocker I am actually able to enjoy getting on the internet and keeping my computer up to date. I suppose everyone has their x-y axis of usability and security and the intersection of where the two meet. It looks like I have found mine. Maybe my set up is .000001% more likely to become infected with some rootkit or rogue program but I'll take that chance. Otherwise the desktop becomes a nice bird house and the monitor gets flipped on its back to hold a checkerboard or service of iced tea.

 

Have you tried putting UAC on quiet mode (but turned on) and utilizing some different in-built methods that enhance security (vs. full blown admin with no UAC) but offer a great compromise of some protection vs. little annoyance?

Sul.

 

I honestly don't see why all this, just do this:

1. DEP;
2. SEHOP;
3. EMET;
4. Windows Updated;
5. All your programs always keep them updated;
6. Windows Backup & Restore (system image, if you don't have any image program installed);
7. Windows Firewall (no need of another);
8. Don't save your passwords in the browser, this is a mistake that nearly all commit;
9. Keep only the required applications installed, otherwise, use the portable version;
10. Have a good DNS server;
11. If an application does not use the internet (necessarily) to block your access;
12. Keep your data and the system image stored on an external HD (Microsoft Synctoy is interesting);

Are steps simple to run and you really have a security gain, and nothing that will get you stuffing restrictions, pop-ups or other problems.

If you are looking to create a lightweight configuration, with a program in real time, just run the Prevx SafeOnline + Windows Hardenning + Hitman Pro (self-checks daily) and absolutely nothing else is required.

And it's all free (if you do not take into account the price of Windows 7)

 

I have UAC enabled but also run as admin. Then there's a few other things I do (dyn dns, no js enabled except for white listing, Prevx, Avast Pro and behind a router). Plus I keep programs updated.

 

Someone mentions disabling services. I'm wondering what's your preference for preventing remote desktop connection. Do you disable all 3 services related to remote desktop configuration, service and user mode, or just prevent remote connection by unchecking such option in Computer options > Remote settings?

If I'm not wrong, I think I have them either disabled or set to manual.

It would be nice to know what's your take on what services you consider should be disabled.

I'm aware there's Blackviper, which is a great source, but nothing beats several uses and experiences.

I have things like Remote Registry, remote assistance, and other useless crap like media player sharing, windows search and a few others disabled. Then there's services that are bound to applications I use, of course. I manage those as needed.

Anyway, I'm just wondering what's the approach of each one of you.

 

I prefer disabled services, then functions like remote desktop will simply fail. I changed only those, the rest is default: -www.scribd.com/doc/54756504/Services- + processes.

 

I turn off any service that I don't need, as long as another service does not depend on it.

I set many services to manual. Some turn on when they need, others I have to turn on. Example is the DHCP and Server services. When I need them, from the run box I use
sc start <service name goes here>
on reboot the services are back to the off state.

Any service that I use that holds open a port I modify if I can. Example is Remote Destkop, I change the default port or I do port forwarding with my router.

Some other places you might examine
https://www.wilderssecurity.com/showthread.php?t=291365
https://www.wilderssecurity.com/showthread.php?t=264882

Sul.

 

Nice threads. I've modified my Desktop context menu, quite some time ago. Nothing that fancy... I just added Control Panel, Office, CD/DVD recorder, downloads manager, Windows accessories.

I've added them under [HKEY_CLASSES_ROOT\Directory\Background\shell\, but it's possible also to add them under [HKEY_CLASSES_ROOT\DesktopBackground\Shell\.

The first option will make them available in both Desktop and Computer/Explorer. The second one will make it available only to the Desktop.

I like the first option, though. If I happen to have some folder opened, and all of a sudden I remember I need to do something, like in Excel, then I'll just right-click an empty space and choose Excel, in the Office menu. Otherwise I'd have to minimize the folder's window.

P.S: Sorry for not replying in the respective thread, which would make more sense, but for some reason I'd get logged out, whenever clicking the links you provided. Yesterday, I was able to enter those pages without being logged out. Maybe something that the web browser is blocking. I made a few changes... I'll figure it out.