Hardening Windows 8.1
From CVL Wiki
(→User Rights Assigment) |
|||
(14 intermediate revisions by one user not shown) | |||
Line 7: | Line 7: | ||
Control Panel->Network and Sharing Center->Ethernet->Properties | Control Panel->Network and Sharing Center->Ethernet->Properties | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
*'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards. | *'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards. | ||
** Disable | ** Disable | ||
Line 21: | Line 16: | ||
*'''Link Layer Topology Responder''': Used to identify your computer to other computers connected to your local network. | *'''Link Layer Topology Responder''': Used to identify your computer to other computers connected to your local network. | ||
** Disable | ** Disable | ||
− | *'''Internet Protocol Version 6 (TCP/IPv6)''': A new version of the IPv4 | + | *'''Internet Protocol Version 6 (TCP/IPv6)''': A new version of the IPv4 protocol. |
** Do not disable | ** Do not disable | ||
*'''Internet Protocol Version 4 (TCP/IPv4)''': Primary network communication protocol. | *'''Internet Protocol Version 4 (TCP/IPv4)''': Primary network communication protocol. | ||
Line 29: | Line 24: | ||
Disable the following: | Disable the following: | ||
− | ''' | + | *'''Application Management''' |
− | '''Family Safety''' | + | *'''BranchCache''' |
− | '''Function Discovery Provider Host''' | + | *'''Certificate Propagation''' |
− | '''Function | + | *'''Client for NFS''' |
− | '''HomeGroup Listener''' | + | *'''Distributed Link Tracking Client''' |
− | '''HomeGroup Provider''' ( | + | *'''Family Safety''' (compatability stub for Vista apps) |
− | + | *'''Function Discovery Provider Host''' (HomeGroup) | |
− | KtmRm for Distributed Transaction Coordinator | + | *'''Function Discovery Resource Publication''' (HomeGroup) |
− | Link Layer Topology | + | *'''HomeGroup Listener''' (HomeGroup) |
− | Microsoft iSCSI Initiator Service | + | *'''HomeGroup Provider''' (HomeGroup) |
− | + | *'''Hyper-V Data Exchange Service''' (Hyper-V VM - Turn on if feature is used) | |
− | Network Access Protection Agent | + | *'''Hyper-V Guest Service Interface''' (Hyper-V VM - Turn on if feature is used) |
− | + | *'''Hyper-V Guest Shutdown Service''' (Hyper-V VM - Turn on if feature is used) | |
− | + | *'''Hyper-V Heartbeat Service''' (Hyper-V VM - Turn on if feature is used) | |
− | Peer Name Resolution Protocol ( | + | *'''Hyper-V Remote Desktop Virtualization Service''' (Hyper-V VM - Turn on if feature is used) |
− | Peer Networking Grouping | + | *'''Hyper-V Time Synchronization Service''' (Hyper-V VM - Turn on if feature is used) |
− | Peer Networking Identity | + | *'''Hyper-V Volume Shadow Copy Requestor''' (Hyper-V VM - Turn on if feature is used) |
− | + | *'''Internet Explorer ETW Collector Service''' | |
− | + | *'''IP Helper''' | |
− | PNRP Machine Name Publication Service | + | *'''KtmRm for Distributed Transaction Coordinator''' (MS recommends to stop this service if not needed) |
+ | *'''Link-Layer Topology Discovery Mapper''' (network discovery) | ||
+ | *'''Microsoft iSCSI Initiator Service''' (allows LAN or Internet based storage) | ||
+ | *'''Netlogon''' (Active Directory Domain Connections) | ||
+ | *'''Network Access Protection Agent''' (reports security configuration) | ||
+ | *'''Offline Files''' | ||
+ | *'''Peer Name Resolution Protocol''' (HomeGroup, remote assistance) | ||
+ | *'''Peer Networking Grouping''' (HomeGroup, remote assistance) | ||
+ | *'''Peer Networking Identity Manager''' (HomeGroup, remote assistance) | ||
+ | *'''PNRP Machine Name Publication Service''' (server that responds with a machine name) | ||
+ | *'''Remote Procedure Call (RPC) Locator''' | ||
+ | *'''Sensor Monitoring Service''' (Enable if your device has light sensors) | ||
+ | *'''Smart Card Device Enumeration Service''' | ||
+ | *'''Smart Card Removal Policy''' | ||
+ | *'''SNMP Trap''' | ||
+ | *'''Storage Service''' | ||
+ | *'''Windows Biometric Service''' | ||
+ | *'''Windows Connect Now - Config Registrar''' (Wireless Setup - simplified configuration) | ||
+ | *'''Windows Location Framework Service''' | ||
+ | |||
+ | ==Local Security Policy== | ||
+ | *Control Panel -> Administrative Tools -> Local Security Policy | ||
+ | |||
+ | ====User Rights Assigment==== | ||
+ | Local Policies -> User Rights Assignment -> Deny access to this computer from the network | ||
+ | *Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE. | ||
+ | |||
+ | ====Password Policy==== | ||
+ | Account Policies -> Password Policy | ||
+ | * Max password age = 365 days | ||
+ | * Min password length = 12 characters | ||
+ | * Password must meed complexity -> enabled | ||
+ | ==Turn off AutoPlay== | ||
+ | Open Charm Menu (swipe from right) | ||
+ | Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off | ||
+ | ==Enable DEP== | ||
+ | Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..." | ||
+ | ==Turn off Remote Assistance== | ||
+ | Right Click Computer -> Properties -> Advanced System Settings -> Remote tab | ||
+ | Un-checkmark allow remote assistance | ||
+ | |||
+ | ==Enable Hidden Files== | ||
+ | Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab | ||
+ | CHECKMARK items below | ||
+ | ・ Always show menus | ||
+ | ・ Display the full path in the title bar | ||
+ | ・ Show hidden files, folders and drives | ||
+ | UNCHECK items below | ||
+ | ・ hide empty drives in computer folder | ||
+ | ・ hide folder merge conflicts | ||
+ | ・ hide extensions for known file types | ||
+ | Windows Explorer/ View pull down menu / | ||
+ | · checkmark File Name Extensions | ||
+ | · checkmark Hidden Files | ||
+ | ==Enable Screen Saver== | ||
+ | Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen" | ||
+ | |||
===Resources Used=== | ===Resources Used=== | ||
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html | http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html | ||
+ | http://www.blackviper.com/service-configurations/black-vipers-windows-8-1-service-configurations/ |
Latest revision as of 13:22, 11 March 2015
This page contains notes on how to harden Windows 8.1. The intent of these changes to the default OS install is to reduce overall exposure to attack, while still remaining usable for the majority of uses.
In particular, these tips apply to ITAR computers and GTA tablets.
Contents |
[edit] Networking
Control Panel->Network and Sharing Center->Ethernet->Properties
- Microsoft Network Adapter Multiplexor Protocol: provides the ability to load balance between two or more network cards.
- Disable
- Microsoft LLDP Protocol Driver: Used to create the network map used in the Network browser and Networking and Sharing Centre.
- Disable
- Link Layer Topology Discovery Mapper I/O Driver: Used to discover other computers connected to your local network.
- Disable
- Link Layer Topology Responder: Used to identify your computer to other computers connected to your local network.
- Disable
- Internet Protocol Version 6 (TCP/IPv6): A new version of the IPv4 protocol.
- Do not disable
- Internet Protocol Version 4 (TCP/IPv4): Primary network communication protocol.
- Do not disable.
[edit] Services
Disable the following:
- Application Management
- BranchCache
- Certificate Propagation
- Client for NFS
- Distributed Link Tracking Client
- Family Safety (compatability stub for Vista apps)
- Function Discovery Provider Host (HomeGroup)
- Function Discovery Resource Publication (HomeGroup)
- HomeGroup Listener (HomeGroup)
- HomeGroup Provider (HomeGroup)
- Hyper-V Data Exchange Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Guest Service Interface (Hyper-V VM - Turn on if feature is used)
- Hyper-V Guest Shutdown Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Heartbeat Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Remote Desktop Virtualization Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Time Synchronization Service (Hyper-V VM - Turn on if feature is used)
- Hyper-V Volume Shadow Copy Requestor (Hyper-V VM - Turn on if feature is used)
- Internet Explorer ETW Collector Service
- IP Helper
- KtmRm for Distributed Transaction Coordinator (MS recommends to stop this service if not needed)
- Link-Layer Topology Discovery Mapper (network discovery)
- Microsoft iSCSI Initiator Service (allows LAN or Internet based storage)
- Netlogon (Active Directory Domain Connections)
- Network Access Protection Agent (reports security configuration)
- Offline Files
- Peer Name Resolution Protocol (HomeGroup, remote assistance)
- Peer Networking Grouping (HomeGroup, remote assistance)
- Peer Networking Identity Manager (HomeGroup, remote assistance)
- PNRP Machine Name Publication Service (server that responds with a machine name)
- Remote Procedure Call (RPC) Locator
- Sensor Monitoring Service (Enable if your device has light sensors)
- Smart Card Device Enumeration Service
- Smart Card Removal Policy
- SNMP Trap
- Storage Service
- Windows Biometric Service
- Windows Connect Now - Config Registrar (Wireless Setup - simplified configuration)
- Windows Location Framework Service
[edit] Local Security Policy
- Control Panel -> Administrative Tools -> Local Security Policy
[edit] User Rights Assigment
Local Policies -> User Rights Assignment -> Deny access to this computer from the network
- Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.
[edit] Password Policy
Account Policies -> Password Policy
- Max password age = 365 days
- Min password length = 12 characters
- Password must meed complexity -> enabled
[edit] Turn off AutoPlay
Open Charm Menu (swipe from right) Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off
[edit] Enable DEP
Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."
[edit] Turn off Remote Assistance
Right Click Computer -> Properties -> Advanced System Settings -> Remote tab Un-checkmark allow remote assistance
[edit] Enable Hidden Files
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab CHECKMARK items below ・ Always show menus ・ Display the full path in the title bar ・ Show hidden files, folders and drives UNCHECK items below ・ hide empty drives in computer folder ・ hide folder merge conflicts ・ hide extensions for known file types Windows Explorer/ View pull down menu / · checkmark File Name Extensions · checkmark Hidden Files
[edit] Enable Screen Saver
Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"
[edit] Resources Used
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html http://www.blackviper.com/service-configurations/black-vipers-windows-8-1-service-configurations/