Hardening Windows 8.1

From CVL Wiki

(Difference between revisions)
Jump to: navigation, search
(Local Security Policy)
(User Rights Assigment)
 
(11 intermediate revisions by one user not shown)
Line 7: Line 7:
 
Control Panel->Network and Sharing Center->Ethernet->Properties
 
Control Panel->Network and Sharing Center->Ethernet->Properties
  
*'''Client for Microsoft Networks''': Used to access other shared resources on your local network running the File and Printer Sharing for Microsoft Networks protocol.
+
 
** Do not disable. Required for mapping SMB network drives
+
*'''QOS Packet Scheduler''': Used to provide traffic management on your network for applications that support the protocol.
+
** Disable
+
*'''File and Printer Sharing for Microsoft Networks''': Used to share your printer and files on your computer with other computers on your local network.
+
** Disable unless sharing folders or printers
+
 
*'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards.
 
*'''Microsoft Network Adapter Multiplexor Protocol''': provides the ability to load balance between two or more network cards.
 
** Disable
 
** Disable
Line 21: Line 16:
 
*'''Link Layer Topology Responder''': Used to identify your computer to other computers connected to your local network.
 
*'''Link Layer Topology Responder''': Used to identify your computer to other computers connected to your local network.
 
** Disable
 
** Disable
*'''Internet Protocol Version 6 (TCP/IPv6)''': A new version of the IPv4 protocol. Unless you are connected to an IPv6 network (most of you are not), you can safely disable this protocol.  
+
*'''Internet Protocol Version 6 (TCP/IPv6)''': A new version of the IPv4 protocol.  
 
** Do not disable
 
** Do not disable
 
*'''Internet Protocol Version 4 (TCP/IPv4)''': Primary network communication protocol.  
 
*'''Internet Protocol Version 4 (TCP/IPv4)''': Primary network communication protocol.  
Line 29: Line 24:
  
 
Disable the following:
 
Disable the following:
*Computer Browser (manual) (finds other PCs in the network)
+
*'''Application Management'''
*'''DNS client''' (automatic) (caches previously looked up domain names)
+
*'''BranchCache'''
*'''Family Safety''' (manual) (compatability stub for Vista apps)
+
*'''Certificate Propagation'''
*'''Function Discovery Provider Host'''         (manual) (HomeGroup)
+
*'''Client for NFS'''
*'''Function discovery resource publication''' (manual) (HomeGroup)
+
*'''Distributed Link Tracking Client'''
*'''HomeGroup Listener''' (manual) (HomeGroup)
+
*'''Family Safety''' (compatability stub for Vista apps)
*'''HomeGroup Provider''' (manual) (HomeGroup)
+
*'''Function Discovery Provider Host''' (HomeGroup)
*Internet Connection Sharing (disabled) (makes PC act as router)
+
*'''Function Discovery Resource Publication''' (HomeGroup)
*KtmRm for Distributed Transaction Coordinator (manual) (MS recommends to stop this service if not needed)
+
*'''HomeGroup Listener''' (HomeGroup)
*Link Layer Topology discovery mapper (manual) (network discovery)
+
*'''HomeGroup Provider''' (HomeGroup)
*Microsoft iSCSI Initiator Service (manual) (allows LAN or Internet based storage)
+
*'''Hyper-V Data Exchange Service''' (Hyper-V VM - Turn on if feature is used)
*Net. TCP port Sharing service (disabled)
+
*'''Hyper-V Guest Service Interface''' (Hyper-V VM - Turn on if feature is used)
*Network Access Protection Agent (manual) (reports security configuration)
+
*'''Hyper-V Guest Shutdown Service''' (Hyper-V VM - Turn on if feature is used)
*Network Connected Devices Auto-Setup (manual) (autosetup devices in the network)
+
*'''Hyper-V Heartbeat Service''' (Hyper-V VM - Turn on if feature is used)
*Network Connectivity Assistant (manual) (works with DirectAccess to provide setup of network devices. Relies on DNS client, IP Helper, Network Store Interface *Service and Base Filtering Engine)
+
*'''Hyper-V Remote Desktop Virtualization Service''' (Hyper-V VM - Turn on if feature is used)
*Peer Name Resolution Protocol (manual)
+
*'''Hyper-V Time Synchronization Service''' (Hyper-V VM - Turn on if feature is used)
*Peer Networking Grouping (manual) (HomeGroup, remote assistance)
+
*'''Hyper-V Volume Shadow Copy Requestor''' (Hyper-V VM - Turn on if feature is used)
*Peer Networking Identity Mgr (manual) (HomeGroup, remote assistance)
+
*'''Internet Explorer ETW Collector Service'''
*Performance Counter DLL Host (manual) (allows remote query to performance counters)
+
*'''IP Helper'''
*Performance Logs & Alerts (manual) (collects remote and local perf data)
+
*'''KtmRm for Distributed Transaction Coordinator''' (MS recommends to stop this service if not needed)
*PNRP Machine Name Publication Service (manual) (server that responds with a machine name)
+
*'''Link-Layer Topology Discovery Mapper''' (network discovery)
*Remote Access Auto Connection Mgr (manual)
+
*'''Microsoft iSCSI Initiator Service''' (allows LAN or Internet based storage)
*Remote Desktop Configuration (manual)
+
*'''Netlogon''' (Active Directory Domain Connections)
*Remote Desktop Service (manual) (server allowing remote control)
+
*'''Network Access Protection Agent''' (reports security configuration)
*Remote Desktop Service UserMode Port Redirector (manual)
+
*'''Offline Files'''
*Remote Registry (disabled) (allow remote PCs to modify your registry)
+
*'''Peer Name Resolution Protocol''' (HomeGroup, remote assistance)
*Routing and Remote Access (disabled)
+
*'''Peer Networking Grouping''' (HomeGroup, remote assistance)
*Server (automatic) (HomeGroup, File and Printer Sharing)
+
*'''Peer Networking Identity Manager''' (HomeGroup, remote assistance)
*SNMP Trap (manual)
+
*'''PNRP Machine Name Publication Service''' (server that responds with a machine name)
*SSDP Discovery (manual)
+
*'''Remote Procedure Call (RPC) Locator'''
*TCP/IP NetBIOS Helper (automatic)
+
*'''Sensor Monitoring Service''' (Enable if your device has light sensors)
*Telephony (manual) (affects Remote Access Connection mgr/ VPN)
+
*'''Smart Card Device Enumeration Service'''
*UPnP Device host (manual)
+
*'''Smart Card Removal Policy'''
*Web Client (manual)
+
*'''SNMP Trap'''
*Windows Connect Now Config Registra (manual) (Wireless Setup - simplified configuration)
+
*'''Storage Service'''
*Windows Event Collector (manual) (allow remote subscription to log events)
+
*'''Windows Biometric Service'''
*Windows Media Player Network Sharing service (manual)
+
*'''Windows Connect Now - Config Registrar''' (Wireless Setup - simplified configuration)
*Windows Remote Management (manual) (Server, listens for remote requests )
+
*'''Windows Location Framework Service'''
*WMI Performance Adapter (manual) (provides performance data to other PC collecting it)
+
*Work Folders (manual) (sync folders with server)
+
  
 
==Local Security Policy==
 
==Local Security Policy==
 
*Control Panel -> Administrative Tools -> Local Security Policy
 
*Control Panel -> Administrative Tools -> Local Security Policy
*Local Policies -> User Rights Assignment -> Deny access to this computer from the network
+
 
**Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.
+
====User Rights Assigment====
 +
Local Policies -> User Rights Assignment -> Deny access to this computer from the network
 +
*Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.
 +
 
 +
====Password Policy====
 +
Account Policies -> Password Policy
 +
* Max password age = 365 days
 +
* Min password length = 12 characters
 +
* Password must meed complexity -> enabled
 +
 
 +
==Turn off AutoPlay==
 +
Open Charm Menu (swipe from right)
 +
Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off
 +
 
 +
==Enable DEP==
 +
Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."
 +
 
 +
==Turn off Remote Assistance==
 +
Right Click Computer -> Properties -> Advanced System Settings -> Remote tab
 +
Un-checkmark allow remote assistance
 
   
 
   
 +
==Enable Hidden Files==
 +
Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab
 +
CHECKMARK items below
 +
・  Always show menus
 +
・  Display the full path in the title bar
 +
・  Show hidden files, folders and drives
 +
UNCHECK items below
 +
・  hide empty drives in computer folder
 +
・ hide folder merge conflicts
 +
・  hide extensions for known file types
 +
Windows Explorer/ View pull down menu /
 +
·        checkmark File Name Extensions
 +
·        checkmark Hidden Files
  
 +
==Enable Screen Saver==
 +
Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"
 +
 
===Resources Used===
 
===Resources Used===
 
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html
 
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html
 +
http://www.blackviper.com/service-configurations/black-vipers-windows-8-1-service-configurations/

Latest revision as of 13:22, 11 March 2015

This page contains notes on how to harden Windows 8.1. The intent of these changes to the default OS install is to reduce overall exposure to attack, while still remaining usable for the majority of uses.

In particular, these tips apply to ITAR computers and GTA tablets.

Contents

[edit] Networking

Control Panel->Network and Sharing Center->Ethernet->Properties


  • Microsoft Network Adapter Multiplexor Protocol: provides the ability to load balance between two or more network cards.
    • Disable
  • Microsoft LLDP Protocol Driver: Used to create the network map used in the Network browser and Networking and Sharing Centre.
    • Disable
  • Link Layer Topology Discovery Mapper I/O Driver: Used to discover other computers connected to your local network.
    • Disable
  • Link Layer Topology Responder: Used to identify your computer to other computers connected to your local network.
    • Disable
  • Internet Protocol Version 6 (TCP/IPv6): A new version of the IPv4 protocol.
    • Do not disable
  • Internet Protocol Version 4 (TCP/IPv4): Primary network communication protocol.
    • Do not disable.

[edit] Services

Disable the following:

  • Application Management
  • BranchCache
  • Certificate Propagation
  • Client for NFS
  • Distributed Link Tracking Client
  • Family Safety (compatability stub for Vista apps)
  • Function Discovery Provider Host (HomeGroup)
  • Function Discovery Resource Publication (HomeGroup)
  • HomeGroup Listener (HomeGroup)
  • HomeGroup Provider (HomeGroup)
  • Hyper-V Data Exchange Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Guest Service Interface (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Guest Shutdown Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Heartbeat Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Remote Desktop Virtualization Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Time Synchronization Service (Hyper-V VM - Turn on if feature is used)
  • Hyper-V Volume Shadow Copy Requestor (Hyper-V VM - Turn on if feature is used)
  • Internet Explorer ETW Collector Service
  • IP Helper
  • KtmRm for Distributed Transaction Coordinator (MS recommends to stop this service if not needed)
  • Link-Layer Topology Discovery Mapper (network discovery)
  • Microsoft iSCSI Initiator Service (allows LAN or Internet based storage)
  • Netlogon (Active Directory Domain Connections)
  • Network Access Protection Agent (reports security configuration)
  • Offline Files
  • Peer Name Resolution Protocol (HomeGroup, remote assistance)
  • Peer Networking Grouping (HomeGroup, remote assistance)
  • Peer Networking Identity Manager (HomeGroup, remote assistance)
  • PNRP Machine Name Publication Service (server that responds with a machine name)
  • Remote Procedure Call (RPC) Locator
  • Sensor Monitoring Service (Enable if your device has light sensors)
  • Smart Card Device Enumeration Service
  • Smart Card Removal Policy
  • SNMP Trap
  • Storage Service
  • Windows Biometric Service
  • Windows Connect Now - Config Registrar (Wireless Setup - simplified configuration)
  • Windows Location Framework Service

[edit] Local Security Policy

  • Control Panel -> Administrative Tools -> Local Security Policy

[edit] User Rights Assigment

Local Policies -> User Rights Assignment -> Deny access to this computer from the network

  • Guests, Anonymous Logon, Administrator, NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL SERVICE.

[edit] Password Policy

Account Policies -> Password Policy

  • Max password age = 365 days
  • Min password length = 12 characters
  • Password must meed complexity -> enabled

[edit] Turn off AutoPlay

Open Charm Menu (swipe from right) Settings -> Change PC Settings -> PC and Devices -> AutoPlay -> Off

[edit] Enable DEP

Right Click Computer -> Properties -> Advanced System Settings -> Performance Settings button -> Data Execution Prevention Tab -> Select "Turn on DEP for all programs ..."

[edit] Turn off Remote Assistance

Right Click Computer -> Properties -> Advanced System Settings -> Remote tab Un-checkmark allow remote assistance

[edit] Enable Hidden Files

Windows Explorer/ View pull down menu / Options button / Change Folders and Search options / View tab CHECKMARK items below ・ Always show menus ・ Display the full path in the title bar ・ Show hidden files, folders and drives UNCHECK items below ・ hide empty drives in computer folder ・ hide folder merge conflicts ・ hide extensions for known file types Windows Explorer/ View pull down menu / · checkmark File Name Extensions · checkmark Hidden Files

[edit] Enable Screen Saver

Right click on desktop and choose Personalize / Screensaver. Configure it to wait 10 minutes, and check mark "On resume, display Logon screen"

[edit] Resources Used

http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html http://www.blackviper.com/service-configurations/black-vipers-windows-8-1-service-configurations/

Views
Personal tools
Support