Hardening Windows 8.1

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Networking)
Line 7: Line 7:
 
Control Panel->Network and Sharing Center->Ethernet->Properties
 
Control Panel->Network and Sharing Center->Ethernet->Properties
  
*'''Client for Microsoft Networks''': Used to access other shared resources on your local network running the File and Printer Sharing for Microsoft Networks protocol.
+
 
** Do not disable. Required for mapping SMB network drives
+
*'''QOS Packet Scheduler''': Used to provide traffic management on your network for applications that support the protocol.
+
** Disable
+
*'''File and Printer Sharing for Microsoft Networks''': Used to share your printer and files on your computer with other computers on your local network.
+
** Disable unless sharing folders or printers
+
 
*'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards.
 
*'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards.
 
** Disable
 
** Disable

Revision as of 11:09, 11 February 2015

This page contains notes on how to harden Windows 8.1. The intent of these changes to the default OS install is to reduce overall exposure to attack, while still remaining usable for the majority of uses.

In particular, these tips apply to ITAR computers and GTA tablets.

Contents

Networking

Control Panel->Network and Sharing Center->Ethernet->Properties


  • Microsoft Network Adapter Multiplexor Protocol: provides the ability to load balance between two or more network cards.
    • Disable
  • Microsoft LLDP Protocol Driver: Used to create the network map used in the Network browser and Networking and Sharing Centre.
    • Disable
  • Link Layer Topology Discovery Mapper I/O Driver: Used to discover other computers connected to your local network.
    • Disable
  • Link Layer Topology Responder: Used to identify your computer to other computers connected to your local network.
    • Disable
  • Internet Protocol Version 6 (TCP/IPv6): A new version of the IPv4 protocol. Unless you are connected to an IPv6 network (most of you are not), you can safely disable this protocol.
    • Do not disable
  • Internet Protocol Version 4 (TCP/IPv4): Primary network communication protocol.
    • Do not disable.

Services

Disable the following:

  • Application Management
  • BranchCache
  • Certificate Propagation
  • Client for NFS
  • Distributed Link Tracking Client
  • Family Safety (compatability stub for Vista apps)
  • Function Discovery Provider Host (HomeGroup)
  • Function Discovery Resource Publication (HomeGroup)
  • HomeGroup Listener (HomeGroup)
  • HomeGroup Provider (HomeGroup)
  • Hyper-V Data Exchange Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Guest Service Interface (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Guest Shutdown Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Heartbeat Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Remote Desktop Virtualization Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Time Synchronization Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Volume Shadow Copy Requestor (Hyper-V VM - Turn on if feature is used)
  • Internet Explorer ETW Collector Service
  • IP Helper
  • KtmRm for Distributed Transaction Coordinator (MS recommends to stop this service if not needed)
  • Link-Layer Topology Discovery Mapper (network discovery)
  • Microsoft iSCSI Initiator Service (allows LAN or Internet based storage)
  • Netlogon (Active Directory Domain Connections)
  • Network Access Protection Agent (reports security configuration)
  • Offline Files
  • Peer Name Resolution Protocol (HomeGroup, remote assistance)
  • Peer Networking Grouping (HomeGroup, remote assistance)
  • Peer Networking Identity Manager (HomeGroup, remote assistance)
  • PNRP Machine Name Publication Service (server that responds with a machine name)
  • Remote Procedure Call (RPC) Locator
  • Sensor Monitoring Service (Enable if your device has light sensors)
  • Smart Card Device Enumeration Service
  • Smart Card Removal Policy
  • SNMP Trap
  • Storage Service
  • Windows Biometric Service
  • Windows Connect Now - Config Registrar (Wireless Setup - simplified configuration)
  • Windows Location Framework Service

Local Security Policy

  • Control Panel -> Administrative Tools -> Local Security Policy
  • Local Policies -> User Rights Assignment -> Deny access to this computer from the network
    • Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.

Turn off AutoPlay

Open Charm Menu (swipe from right) Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off

Enable DEP

Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."

Turn off Remote Assistance

Right Click Computer -> Properties -> Advanced System Settings -> Remote tab Un-checkmark allow remote assistance

Enable Hidden Files

Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab CHECKMARK items below ・ Always show menus ・ Display the full path in the title bar ・ Show hidden files, folders and drives UNCHECK items below ・ hide empty drives in computer folder ・ hide folder merge conflicts ・ hide extensions for known file types Windows Explorer/ View pull down menu / · checkmark File Name Extensions · checkmark Hidden Files

Enable Screen Saver

Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"

Resources Used

http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html

Views
Personal tools
Support