Using Group Policy Editor (gpedit.msc) to harden Windows 7

Discussion in 'other software & services' started by wat0114, Oct 24, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Just as I've done here with IE 9, I've done similar with the Win 7 O/S. It's a work in progress but it's at least nearly complete.

    The baseline is a completely customized one using the MSCM (Microsoft Security Compliance Manager). The .XLSX document can be downloaded here:

    -http://www.megaupload.com/?d=8ODEIF49

    Registry settings are included.
     
  2. wat0114

    wat0114 Guest

    Windows 7 Customized Security Baseline

    Edited October 31, 2011. (green = added settings)

    2003-compatible Excel spreadsheet w/registry values here: -http://www.megaupload.com/?d=AQO7ME1I

    Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\
    • Minimum password length = 8
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
    • Interactive logon: Do not display last user name = enabled
    • User Account Control: Run all administrators in Admin Approval Mode = enabled
    • User Account Control: Virtualize file and registry write failures to per-user locations = enabled
    • User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled
    • User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the secure desktop
    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop
    • User Account Control: Only elevate executables that are signed and validated = disabled (caused considerable delay in elevating processes and it also requires public key infrastructure )
    • MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled
    • Shutdown: Allow system to be shut down without having to log on = enabled
    • Interactive logon: Do not require CTRL+ALT+DEL = disabled
    • Devices: Prevent users from installing printer drivers = enabled
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
    • Bypass traverse checking = Users,Network Service,Local Service,Administrators
    • Allow log on locally = Administrators, Users
    Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\
    • Require trusted path for credential entry = enabled
    Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\
    • Turn off Autoplay = enabled
    • Turn off Autoplay = All drives
    • Default behavior for AutoRun = Do not execute any autorun commands
    • Turn off Autoplay for non-volume devices = enabled
    Computer Configuration\Administrative Templates\Windows Components\NetMeeting\
    • Disable remote Desktop Sharing = enabled
    Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\
    • Turn off the Windows Messenger Customer Experience Improvement Program = enabled
    • Turn off Help and Support Center "Did you know?" content = enabled
    • Turn off Windows Customer Experience Improvement Program = enabled
    Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\
    • Turn off Microsoft Peer-to-Peer Networking Services = enabled
    Computer Configuration\Administrative Templates\Windows Components\Windows Defender\
    • Turn off Real-Time Monitoring = enabled
    • Turn off Windows Defender = enabled
    Computer Configuration\Administrative Templates\Windows Components\Windows Mail\
    • Turn off the communities features = enabled
    • Turn off Windows Mail application = enabled
    Computer Configuration\Administrative Templates\System\System Restore\
    • Turn off System Restore = enabled
    Computer Configuration\Administrative Templates\System\Remote Assistance\
    • Solicited Remote Assistance = disabled
    Computer Configuration\Administrative Templates\Windows Components\HomeGroup\
    • Prevent the computer from joining a homegroup = enabled
    Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\
    • Disable Windows Error Reporting = enabled
    Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\
    • Windows Firewall: Public: Allow unicast response = No
    User Configuration\Administrative Templates\Control Panel\Personalization\
    • Password protect the screen saver = enabled
    Computer Configuration\Administrative Templates\System\Power Management\
    • Specify a Custom Active Power Plan = enabled, GUID = 381b4222-f694-41f0-9685-ff5bb260df2e (Balanced)
     
    Last edited by a moderator: Oct 31, 2011
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.