Hardening Windows 8.1

From CVL Wiki

Revision as of 11:15, 3 February 2015 by Bmckagen (Talk | contribs)

Jump to: navigation, search

This page contains notes on how to harden Windows 8.1. The intent of these changes to the default OS install is to reduce overall exposure to attack, while still remaining usable for the majority of uses.

In particular, these tips apply to ITAR computers and GTA tablets.

Contents

Networking

Control Panel->Network and Sharing Center->Ethernet->Properties

  • Client for Microsoft Networks: Used to access other shared resources on your local network running the File and Printer Sharing for Microsoft Networks protocol.
    • Do not disable. Required for mapping SMB network drives
  • QOS Packet Scheduler: Used to provide traffic management on your network for applications that support the protocol.
    • Disable
  • File and Printer Sharing for Microsoft Networks: Used to share your printer and files on your computer with other computers on your local network.
    • Disable unless sharing folders or printers
  • Microsoft Network Adapter Multiplexor Protocol: provides the ability to load balance between two or more network cards.
    • Disable
  • Microsoft LLDP Protocol Driver: Used to create the network map used in the Network browser and Networking and Sharing Centre.
    • Disable
  • Link Layer Topology Discovery Mapper I/O Driver: Used to discover other computers connected to your local network.
    • Disable
  • Link Layer Topology Responder: Used to identify your computer to other computers connected to your local network.
    • Disable
  • Internet Protocol Version 6 (TCP/IPv6): A new version of the IPv4 protocol. Unless you are connected to an IPv6 network (most of you are not), you can safely disable this protocol.
    • Do not disable
  • Internet Protocol Version 4 (TCP/IPv4): Primary network communication protocol.
    • Do not disable.

Services

Disable the following:

  • Computer Browser (manual) (finds other PCs in the network)
  • DNS client (automatic) (caches previously looked up domain names)
  • Family Safety (manual) (compatability stub for Vista apps)
  • Function Discovery Provider Host (manual) (HomeGroup)
  • Function discovery resource publication (manual) (HomeGroup)
  • HomeGroup Listener (manual) (HomeGroup)
  • HomeGroup Provider (manual) (HomeGroup)
  • Internet Connection Sharing (disabled) (makes PC act as router)
  • KtmRm for Distributed Transaction Coordinator (manual) (MS recommends to stop this service if not needed)
  • Link Layer Topology discovery mapper (manual) (network discovery)
  • Microsoft iSCSI Initiator Service (manual) (allows LAN or Internet based storage)
  • Net. TCP port Sharing service (disabled)
  • Network Access Protection Agent (manual) (reports security configuration)
  • Network Connected Devices Auto-Setup (manual) (autosetup devices in the network)
  • Network Connectivity Assistant (manual) (works with DirectAccess to provide setup of network devices. Relies on DNS client, IP Helper, Network Store Interface *Service and Base Filtering Engine)
  • Peer Name Resolution Protocol (manual)
  • Peer Networking Grouping (manual) (HomeGroup, remote assistance)
  • Peer Networking Identity Mgr (manual) (HomeGroup, remote assistance)
  • Performance Counter DLL Host (manual) (allows remote query to performance counters)
  • Performance Logs & Alerts (manual) (collects remote and local perf data)
  • PNRP Machine Name Publication Service (manual) (server that responds with a machine name)
  • Remote Access Auto Connection Mgr (manual)
  • Remote Desktop Configuration (manual)
  • Remote Desktop Service (manual) (server allowing remote control)
  • Remote Desktop Service UserMode Port Redirector (manual)
  • Remote Registry (disabled) (allow remote PCs to modify your registry)
  • Routing and Remote Access (disabled)
  • Server (automatic) (HomeGroup, File and Printer Sharing)
  • SNMP Trap (manual)
  • SSDP Discovery (manual)
  • TCP/IP NetBIOS Helper (automatic)
  • Telephony (manual) (affects Remote Access Connection mgr/ VPN)
  • UPnP Device host (manual)
  • Web Client (manual)
  • Windows Connect Now Config Registra (manual) (Wireless Setup - simplified configuration)
  • Windows Event Collector (manual) (allow remote subscription to log events)
  • Windows Media Player Network Sharing service (manual)
  • Windows Remote Management (manual) (Server, listens for remote requests )
  • WMI Performance Adapter (manual) (provides performance data to other PC collecting it)
  • Work Folders (manual) (sync folders with server)

Local Security Policy

  • Control Panel -> Administrative Tools -> Local Security Policy
  • Local Policies -> User Rights Assignment -> Deny access to this computer from the network
    • Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.

Turn off AutoPlay

Open Charm Menu (swipe from right) Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off

Enable DEP=

Right Click Computer -> Properties -> Advanced System Settings ->Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."

Resources Used

http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html

Views
Personal tools
Support