Hardening Windows 7

Discussion in 'other software & services' started by rubixcube, Mar 17, 2011.

Thread Status:
Not open for further replies.
  1. rubixcube

    rubixcube Registered Member

    Joined:
    Mar 16, 2011
    Posts:
    5
    What are the strategies for hardening Windows 7?

    UAC
    configure FW to deny all with exceptions to specifics
    close all useless services
    EMET 2.0
    Applocker
    use LUA

    What else?
     
  2. Matthijs5nl

    Matthijs5nl Guest

    Nothing else.

    If you combine that hardening with the following measures, you have a rock solid and ultra light security setup:

    1. using a router is a great security measure;
    2. keep all your applications up-to-date;
    3. use Windows Backup and Restore, make sure you have a system image (preferably on disc), make sure system restore is enabled and backup your personal and confidential files.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Disabling Remote registry service and Administrative shares.
     
  4. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Good steps are mentioned for getting most of the way to hardening a running system, but more needs to be done to prevent off line attacks.

    Anyhow, in addition addition to whats been mentioned I do the following (incomplete list):

    Use encrypted filesystem e.g. Bitlocker
    Use per user encryption for user profile folders (EFS) - works with bit locker yeah !
    Disable execute from user profile folders (stop execution from drive by malware).
    Disable user write access to windows and program folders (reduces malware chances of changing or adding new files)
    Use group policy editor to enforce strong passwords and expiry.
    Use 64bit windows and make sure DEP is on for all programs.

    Password protect BIOS settings, disable starting up from anything apart from boot HDD.

    More extreme things:
    Disable reading/writing from external drives as standard user, only allow use of encrypted removeable drives.
    Apply a Windows security template.
    Use HDD boot password.

    Finally your system is not hardened until its proven, one mis configuration, one untested application and its all for nothing.
    So do some penetration testing of your system so you know its secure and not just running off blind faith of advice from others (we make mistakes, information gets outdated as new vectors of attack are developed etc etc etc).

    I know its not an easy to learn how to pen test or even practicle to do in a home settings, but making a start is better than nothing at truely knowing if your system is secure.

    Cheers, Nick
     
    Last edited: Mar 17, 2011
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Oh yes, and off course disabling hiding extensions for known file types in order to easily identify malware with double extensions.
     
  6. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
    Disabling the power button seems like a good idea sometimes.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Keep Windows Update enabled. Can also use Parental Controls and/or Windows Defender.
     
  8. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I have Windows 7 Ultimate and just use as admin without even using AppLocker. That program is just too big a pain - just like LUA or whatever it is. I think for me just using a DNS service and disabling js in my internet browsers does the trick- along with a light antivirus and quiet behavior monitor. My combo for that is Avast Pro and Prevx. I'm also behind a router. And UAC is enabled.

    Without the PITA of LUA and AppLocker I am actually able to enjoy getting on the internet and keeping my computer up to date. I suppose everyone has their x-y axis of usability and security and the intersection of where the two meet. It looks like I have found mine. Maybe my set up is .000001% more likely to become infected with some rootkit or rogue program but I'll take that chance. Otherwise the desktop becomes a nice bird house and the monitor gets flipped on its back to hold a checkerboard or service of iced tea.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Have you tried putting UAC on quiet mode (but turned on) and utilizing some different in-built methods that enhance security (vs. full blown admin with no UAC) but offer a great compromise of some protection vs. little annoyance?

    Sul.
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,115
    I honestly don't see why all this, just do this:

    1. DEP;
    2. SEHOP;
    3. EMET;
    4. Windows Updated;
    5. All your programs always keep them updated;
    6. Windows Backup & Restore (system image, if you don't have any image program installed);
    7. Windows Firewall (no need of another);
    8. Don't save your passwords in the browser, this is a mistake that nearly all commit;
    9. Keep only the required applications installed, otherwise, use the portable version;
    10. Have a good DNS server;
    11. If an application does not use the internet (necessarily) to block your access;
    12. Keep your data and the system image stored on an external HD (Microsoft Synctoy is interesting);

    Are steps simple to run and you really have a security gain, and nothing that will get you stuffing restrictions, pop-ups or other problems.

    If you are looking to create a lightweight configuration, with a program in real time, just run the Prevx SafeOnline + Windows Hardenning + Hitman Pro (self-checks daily) and absolutely nothing else is required.

    And it's all free (if you do not take into account the price of Windows 7)
     
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I have UAC enabled but also run as admin. Then there's a few other things I do (dyn dns, no js enabled except for white listing, Prevx, Avast Pro and behind a router). Plus I keep programs updated.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Someone mentions disabling services. I'm wondering what's your preference for preventing remote desktop connection. Do you disable all 3 services related to remote desktop configuration, service and user mode, or just prevent remote connection by unchecking such option in Computer options > Remote settings?

    If I'm not wrong, I think I have them either disabled or set to manual.

    It would be nice to know what's your take on what services you consider should be disabled.

    I'm aware there's Blackviper, which is a great source, but nothing beats several uses and experiences.

    I have things like Remote Registry, remote assistance, and other useless crap like media player sharing, windows search and a few others disabled. Then there's services that are bound to applications I use, of course. I manage those as needed.

    Anyway, I'm just wondering what's the approach of each one of you. :D
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    I prefer disabled services, then functions like remote desktop will simply fail. I changed only those, the rest is default: -www.scribd.com/doc/54756504/Services- + processes.
     
    Last edited: May 6, 2011
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I turn off any service that I don't need, as long as another service does not depend on it.

    I set many services to manual. Some turn on when they need, others I have to turn on. Example is the DHCP and Server services. When I need them, from the run box I use
    sc start <service name goes here>
    on reboot the services are back to the off state.

    Any service that I use that holds open a port I modify if I can. Example is Remote Destkop, I change the default port or I do port forwarding with my router.

    Some other places you might examine
    https://www.wilderssecurity.com/showthread.php?t=291365
    https://www.wilderssecurity.com/showthread.php?t=264882

    Sul.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Nice threads. I've modified my Desktop context menu, quite some time ago. Nothing that fancy... :D I just added Control Panel, Office, CD/DVD recorder, downloads manager, Windows accessories.

    I've added them under [HKEY_CLASSES_ROOT\Directory\Background\shell\, but it's possible also to add them under [HKEY_CLASSES_ROOT\DesktopBackground\Shell\.

    The first option will make them available in both Desktop and Computer/Explorer. The second one will make it available only to the Desktop.

    I like the first option, though. If I happen to have some folder opened, and all of a sudden I remember I need to do something, like in Excel, then I'll just right-click an empty space and choose Excel, in the Office menu. Otherwise I'd have to minimize the folder's window.

    P.S: Sorry for not replying in the respective thread, which would make more sense, but for some reason I'd get logged out, whenever clicking the links you provided. Yesterday, I was able to enter those pages without being logged out. Maybe something that the web browser is blocking. I made a few changes... I'll figure it out. ;)
     
Loading...
Thread Status:
Not open for further replies.