Categories / Windows Administration / Windows Client Administration

Quick steps to Windows 7 OS hardening

Windows 7 comes with a more tight security model than previous versions of Microsofts client operating systems, but there are a couple of things you can do to tighten down the security of your Windows computer even more.

1. First of all, you should make sure that the user account you use for day to day work is not member of the Administrators local group. This is because an administrative user account poses a security vulnerability in itself as the administrators on the local machine have access permissions to change system settings.
In Windows 7, the old RunAs command – which could be quite annoying to use in earlier versions of Windows as not all applications supported this, has been integrated more tightly.
Now, whenever you choose to do an administrative Windows task, Windows will prompt you for credentials for an account with administrative permissions eliminating the need to right click and choose RunAs.

The less privileges you have as a user, the less damage you will be able to do to the system by mistake so running the most tasks as a User will improve the overall security of your system.

2. Change your network type to ‘Public’.
When setting up a new network connection, for instance to your newly created wireless network, Windows 7 will prompt you to choose a network type for the network connection. You will have options to choose:
a. Home Network
b. Office Network
c. Public Network

Home network will be more ‘Open’ than Office network as Windows will treat all computers on the network as ‘Good’ and the network type allows for sharing of personal folders and files with all other computers on this network.
Windows will create a home group for all computers on the network and will enable network discovery and File And Printer Sharing on the computer.

Office Network is a little bit more strict, while the Public network type is the most strict. The Public network type will simply disable Network discovery – which will simply hide your computer on the network and File And Printer Sharing will be disabled by default.

If you want a more secure computer and do not need to share your files and do not wish to be part of a Home Group, simply choose the Public network type.

Go to Control Panel\Network and Internet\Network and Sharing Center: Change network type to 'Public'.

3. Enable Windows Updates.
Windows Updates are enabled per default. Make sure the ‘Recommended settings’ are chosen or set it to download and notify for install.
Keeping up with the latest updates can significantly help protect you Windows installation.

4. Enable Windows Firewall and make sure all inbound connections are automatically dropped.
The firewall is enabled per default. If you do not need to share anything with other people and computers, you can safely choose to drop all inbound connections to make sure no one can access anything on your computer from the network.
It is possible to filter on the outgoing traffic in the Windows firewall as well. If you are really up to protecting your personal files, it can be a good idea to filter outgoing traffic and application access as well.

5. Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from your computer's memory reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.

DEP can help protect your computer by monitoring your programs to make sure that they use computer memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.

Go to system/ advanced system settings/ performance/ settings/ data execution prevention : Set to all programs

Turn On DEP for all Programs and services except those I select

6. Disable remote assistance and remote desktop connections
If you do not want to allow people messing with your system remotely – that is, if you do not want to give other people the option to connecting to your precious Windows 7 box and playing around with it, you can specify that this will not be an option.

Go to Control Panel\System and Security\System\Advanced System Settings\Remote and uncheck ‘Allow remote assistance connections to this computer’ and ‘Dont allow connections to this computer’.

7. Change User Account Control Settings to highest level
You might get prompted a bit more, but the overall security is raised a bit as you will get prompts for more common administrative system tasks, enabling you to take a stand on whether you will actually allow the specific task to run.

Go to Control Panel\User Accounts and Family Safety\User Accounts\ Change User Account Control Settings = Set to highest level

8. Disable sharing and the NetBios protocol
If you are pretty sure you will not need to share your files over the network, you can go further and completely remove the option to share files.
Disable Netbios over tcp/ip on the network adapters on the computer. Remove check mark on Network and sharing, so that the machine is not using the 'File And Printer Sharing For Microsoft Networks' protocol.

Go to Control Panel\Network and Internet\Network Connections
Right click the adapter of your choice (if you have more than one) and choose Properties.
Double click the ‘Internet protocol version 4 (TCP/IPv4)’. Navigate to ‘Advanced’ and choose ‘Wins’.
Check ‘Disable NetBios over TCP/IP’.

This will block connections to some of the most insecure ports on a Windows operating system – or some of the most exploited.

9. Disable unnecessary services
You can stop for now, but if you are sure exactly what your computer will be used for. You can go any further and disable some of the many services Windows 7 runs, but probably won’t need.
Examples of those services are:
a. TCP/IP Netbios helper
b. Server Service
c. Computer Browser
d. Remote Registry
e. HomeGroup Listener (If you are not intenting to use the homegroup features)
f. HomeGroup Provider (If you are not intenting to use the homegroup features)

There might be many more but I have chosen some of the services used for sharing files and if you do not want your Windows computer to be every mans property, you can safely disable these services to secure your box even more.

I haven’t mentioned a good AV solution and common sense as security steps as I guess they are more or less mandatory for a secure environment.

23-11-2009 by Thomas Møller Nexø
Unique visits since publich date 24703
  

Quick steps to Windows 7 OS hardening

Comments (17)

 

zeb 10-01-2010 03:26
great :)
 
Thomas Møller Nexø 10-01-2010 12:09
Hi Zep.

Glad you liked it.
I found out later, that the Data Execution Prevention (DEP) step from the article can cause undesired results in terms of unstabillity and shoulæd be used with caution.
My computer began to run very unpredictable for a while and made blue screens on a regular basis, so I desided to change it back to default settings and since it has been running fine.
So I guess Data Execution Prevention (DEP) for all apps is an option, but again it should be used with caution - maybee on a computer with fewer and well known apps.

Cheers!
 
AliOne 07-04-2010 22:16
Thanks!
 
Cris 28-06-2010 17:14
This is a great list! Very useful article. Thank you Thomas
 
Thomas Møller Nexø 28-06-2010 19:33
Thanks! Thats good to know.
If you or anybody else have some additional steps to harden the Windows 7 OS further, I will be very happy to hear about them.
 
monty tyagi 20-08-2010 14:06
Thanks
These are very useful & helpful steps.
 
sum-m 26-10-2010 12:02
Very useful to begin the research. Thank you....
 
static 25-02-2011 16:19
Regarding DEP:

I wonder if the instability was related to BIOS settings. I'm pretty sure the NX (No eXecute) bit should be enabled in your BIOS for DEP to work.

Intel markets the feature as the XD bit, for eXecute Disable. AMD uses the name Enhanced Virus Protection.

http://en.wikipedia.org/wiki/NX_bit
 
mona 09-03-2011 21:27
It was very usefull for me.
Thanks in Advance
 
molossus 19-08-2011 22:56
this guide will make win7 UAC ask for a password everytime there is a change in win7
http://superuser.com/questions/91357/on-windows-7-can-one-make-uac-on-an-admin-account-prompt-for-the-password-just-l
 
James 07-11-2011 23:16
Great article on securing Windows 7. I found another article that has some more tips.

http://www.safegadget.com/16/how-to-internet-security-and-windows-security-made-easy/
 
Sandeep 26-05-2012 13:27
I was in search of Win7 Hardening process and you have help me...

Thank you very much...
 
MsE 18-09-2012 21:31
Thank you! I will truly apply this information to my system.
 
Thomas Møller Nexø 09-11-2012 11:37
Thanks for the input guys :)
 
fa 15-01-2013 11:24
Beautiful post. Still valid till date (15/01/2013). Help keeps intruders away and frustrated.

Thanks.

Fa
 
Aaron 19-02-2013 23:52
One of the best things to have for any system is a Router. Since adding one I've not had a single instance of trouble of any kind, and using Steganos Anonym 2012 (latest) makes you HIGHLY anon. :-)
 
Aaron in DE 19-02-2013 23:53
One of the best things to have for any system is a Router. Since adding one I've not had a single instance of trouble of any kind, and using Steganos Anonym 2012 (latest) makes you HIGHLY anon. :-)
 

Comment on this article

Name
Email (receive replies)
Comment
What is: 5 + 16
 

Valid XHTML 1.0 Transitional Valid CSS! Subscribe to RSS feeds from my blog about all aspects about system administration in a Microsoft Windows server environment