Using Group Policy Editor (gpedit.msc) to harden Windows 7

Just as I've done here with IE 9, I've done similar with the Win 7 O/S. It's a work in progress but it's at least nearly complete.

The baseline is a completely customized one using the MSCM (Microsoft Security Compliance Manager). The .XLSX document can be downloaded here:

-http://www.megaupload.com/?d=8ODEIF49

Registry settings are included.

 

Windows 7 Customized Security Baseline

Edited October 31, 2011. (green = added settings)

2003-compatible Excel spreadsheet w/registry values here: -http://www.megaupload.com/?d=AQO7ME1I

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

• Minimum password length = 8

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

• Interactive logon: Do not display last user name = enabled
• User Account Control: Run all administrators in Admin Approval Mode = enabled
• User Account Control: Virtualize file and registry write failures to per-user locations = enabled
• User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled
• User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the secure desktop
• User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop
• User Account Control: Only elevate executables that are signed and validated = disabled (caused considerable delay in elevating processes and it also requires public key infrastructure )
• MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled
• Shutdown: Allow system to be shut down without having to log on = enabled
• Interactive logon: Do not require CTRL+ALT+DEL = disabled
• Devices: Prevent users from installing printer drivers = enabled

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

• Bypass traverse checking = Users,Network Service,Local Service,Administrators
• Allow log on locally = Administrators, Users

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\

• Require trusted path for credential entry = enabled

Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\

• Turn off Autoplay = enabled
• Turn off Autoplay = All drives
• Default behavior for AutoRun = Do not execute any autorun commands
• Turn off Autoplay for non-volume devices = enabled

Computer Configuration\Administrative Templates\Windows Components\NetMeeting\

• Disable remote Desktop Sharing = enabled

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\

• Turn off the Windows Messenger Customer Experience Improvement Program = enabled
• Turn off Help and Support Center "Did you know?" content = enabled
• Turn off Windows Customer Experience Improvement Program = enabled

Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\

• Turn off Microsoft Peer-to-Peer Networking Services = enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Defender\

• Turn off Real-Time Monitoring = enabled
• Turn off Windows Defender = enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Mail\

• Turn off the communities features = enabled
• Turn off Windows Mail application = enabled

Computer Configuration\Administrative Templates\System\System Restore\

• Turn off System Restore = enabled

Computer Configuration\Administrative Templates\System\Remote Assistance\

• Solicited Remote Assistance = disabled

Computer Configuration\Administrative Templates\Windows Components\HomeGroup\

• Prevent the computer from joining a homegroup = enabled

Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\

• Disable Windows Error Reporting = enabled

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\

• Windows Firewall: Public: Allow unicast response = No

User Configuration\Administrative Templates\Control Panel\Personalization\

• Password protect the screen saver = enabled

Computer Configuration\Administrative Templates\System\Power Management\

• Specify a Custom Active Power Plan = enabled, GUID = 381b4222-f694-41f0-9685-ff5bb260df2e (Balanced)