Hardening Windows 8.1
From CVL Wiki
This page contains notes on how to harden Windows 8.1. The intent of these changes to the default OS install is to reduce overall exposure to attack, while still remaining usable for the majority of uses.
In particular, these tips apply to ITAR computers and GTA tablets.
Contents |
Networking
Control Panel->Network and Sharing Center->Ethernet->Properties
- Microsoft Network Adapter Multiplexor Protocol: provides the ability to load balance between two or more network cards.
- Disable
- Microsoft LLDP Protocol Driver: Used to create the network map used in the Network browser and Networking and Sharing Centre.
- Disable
- Link Layer Topology Discovery Mapper I/O Driver: Used to discover other computers connected to your local network.
- Disable
- Link Layer Topology Responder: Used to identify your computer to other computers connected to your local network.
- Disable
- Internet Protocol Version 6 (TCP/IPv6): A new version of the IPv4 protocol.
- Do not disable
- Internet Protocol Version 4 (TCP/IPv4): Primary network communication protocol.
- Do not disable.
Services
Disable the following:
- Application Management
- BranchCache
- Certificate Propagation
- Client for NFS
- Distributed Link Tracking Client
- Family Safety (compatability stub for Vista apps)
- Function Discovery Provider Host (HomeGroup)
- Function Discovery Resource Publication (HomeGroup)
- HomeGroup Listener (HomeGroup)
- HomeGroup Provider (HomeGroup)
- Hyper-V Data Exchange Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Guest Service Interface (Hyper-V VM - Turn on if feature is used)
- Hyper-V Guest Shutdown Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Heartbeat Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Remote Desktop Virtualization Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Time Synchronization Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Volume Shadow Copy Requestor (Hyper-V VM - Turn on if feature is used)
- Internet Explorer ETW Collector Service
- IP Helper
- KtmRm for Distributed Transaction Coordinator (MS recommends to stop this service if not needed)
- Link-Layer Topology Discovery Mapper (network discovery)
- Microsoft iSCSI Initiator Service (allows LAN or Internet based storage)
- Netlogon (Active Directory Domain Connections)
- Network Access Protection Agent (reports security configuration)
- Offline Files
- Peer Name Resolution Protocol (HomeGroup, remote assistance)
- Peer Networking Grouping (HomeGroup, remote assistance)
- Peer Networking Identity Manager (HomeGroup, remote assistance)
- PNRP Machine Name Publication Service (server that responds with a machine name)
- Remote Procedure Call (RPC) Locator
- Sensor Monitoring Service (Enable if your device has light sensors)
- Smart Card Device Enumeration Service
- Smart Card Removal Policy
- SNMP Trap
- Storage Service
- Windows Biometric Service
- Windows Connect Now - Config Registrar (Wireless Setup - simplified configuration)
- Windows Location Framework Service
Local Security Policy
- Control Panel -> Administrative Tools -> Local Security Policy
User Rights Assigment
Local Policies -> User Rights Assignment -> Deny access to this computer from the network
- Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.
Password Policy
Account Policies -> Password Policy
- Max password age = 365 days
- Min password length = 12 characters
- Password must meed complexity -> enabled
Turn off AutoPlay
Open Charm Menu (swipe from right) Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off
Enable DEP
Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."
Turn off Remote Assistance
Right Click Computer -> Properties -> Advanced System Settings -> Remote tab Un-checkmark allow remote assistance
Enable Hidden Files
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab CHECKMARK items below ・ Always show menus ・ Display the full path in the title bar ・ Show hidden files, folders and drives UNCHECK items below ・ hide empty drives in computer folder ・ hide folder merge conflicts ・ hide extensions for known file types Windows Explorer/ View pull down menu / · checkmark File Name Extensions · checkmark Hidden Files
Enable Screen Saver
Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"
Resources Used
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html http://www.blackviper.com/service-configurations/black-vipers-windows-8-1-service-configurations/