A guide I whipped up on hardening Windows Vista / 7.

Nice little guide. You actually mention DEP which is often overlooked and I don't know why it's still not enabled for all processes by default. Well there are a few things out there still that don't work with DEP enabled but still that is the exception and not the rule.
 
I appreciate the feedback heatlesssun. Yes, MS has to remain compatible with so much, and unfortunately there are some bone-headed developers out there that do things in their programs that are really bad ideas, and everyone suffers for it. But the situation is improving (IE8 has DEP on by default now, for instance) so there's hope. G'day.
 
A lot of people have Home Premium, should add this tip:

Open elevated command prompt and use following command to enable
Administrator account and set a password on it:

net user Administrator v3ryStr()ngP4$$wOrd /ACTIVE:YES

where "v3ryStr()ngP4$$wOrd" is a password you want to assign to account.
 
I don't see the benefit in activating the Administrator account..? [Added registry info for ctrl-alt-del requirement, for home users]
 
Last edited:
I don't see the benefit in activating the Administrator account..? [Added registry info for ctrl-alt-del requirement, for home users]

If you don't activate it and protect it with a strong password, a virus will activate it for you - and since it's not protected with a password.. I think you know where I'm going with this.
 
If you don't activate it and protect it with a strong password, a virus will activate it for you - and since it's not protected with a password.. I think you know where I'm going with this.

Ok, but a Virus would need to be admin to activate the Administrator account, so there's no need for the virus to activate the Administrator account. Besides Windows won't allow network connections to accounts that have no passwords.

[looks like the API requires the old password to change the password] But malware could access and rewrite the SAM database for instance, I think, like the password reset tools do. Bottom line, once the malware has admin on your box, you=pwned.
 
Last edited:
I don't see the benefit in activating the Administrator account..? [Added registry info for ctrl-alt-del requirement, for home users]

This statement in your guide:
Run as standard user, in Control Panel->User Accounts->Change Your Account Type, select "Standard User" and apply the settings. You may need to make a seperate admin account, if you don't have any other admin accounts on your system.
Can't make your main account standard, without a second adminstrator account, and instead of just arbitrarily creating a new one. Why not use the one built in? and set a strong password in the process.
 
Thanks, there were a few things I was unaware of (primarily setting Firefox to low integrity level).

I would add one thing, if renabling the built in admin account, also rename it in the local security policy. The vast majority of malware assumes the default administrator account name and that is probably one of the easiest changes that can be made to improve security on any windows system.
 
Last edited:
Figured out a way to execute Firefox in low integrity mode without getting the annoying startup prompt, updated page with info.
 
Yes, thank you for the info. Some of it I knew. Other parts reminded me of what I hadn't setup since my install. And I even learned something. All in all a good post. I'm going to forward it to my friends.
 
Nice guide, thanks! I'll make note of it for whenever I do my real W7 install (still running RC1).
 
There's also AppLocker, didn't try it myself yet, but it seems to be the best thing that happened to a MS OS in ... ever.
 
A lot of people have Home Premium, should add this tip:

How do you undo that?

When I did it, it created an admin account and I must enter a password anytime I do just about anything.
So I removed the admin account but it still has me enter a password on my original account any time UAC comes up. I'd like to get it back to the way it was.
 
How do you undo that?

When I did it, it created an admin account and I must enter a password anytime I do just about anything.
So I removed the admin account but it still has me enter a password on my original account any time UAC comes up. I'd like to get it back to the way it was.

http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx

To change the elevation prompt behavior for administrators
1.Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

2.From the Local Security Settings console tree, click Local Policies, and then Security Options.

3.Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators.

4.From the drop-down menu, select one of the following settings:

Elevate without prompting (tasks requesting elevation will automatically run as elevated without prompting the administrator)


Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated)


Prompt for consent (default setting for administrators)


5.Click OK.

6.Close the Local Security Settings window.

To change the elevation prompt behavior for standard users
1.Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

2.From the Local Security Settings console tree, click Local Policies, and then Security Options.

3.Scroll down to and double-click User Account Control: Behavior of the elevation prompt for standard users.

4.From the drop-down menu, select one of the following settings:

Automatically deny elevation requests (standard users will not be able to run programs requiring elevation, and will not be prompted)


Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)


5.Click OK.

6.Close the Local Security Settings window.
 
Thread Necromancy!!! :D

Just kidding... it still shows last update in November 2009, is there a new link or whatever? One would think an update should be presented as "new" with a new date, perhaps... or maybe you can alter the posting title to reflect it's been updated, maybe?
 
Added date of last update to title, I'll make sure the update date is always posted.
 
Some good info there, I've pointed it out to some friends that recently expressed concerns about security running Windows, maybe they'll learn something.
 
Thanks for that, I learned a lot from it and I'm glad to see that win7 64bit is already pretty secure but I added those changes. Thanks!
 
Nice little guide. You actually mention DEP which is often overlooked and I don't know why it's still not enabled for all processes by default. Well there are a few things out there still that don't work with DEP enabled but still that is the exception and not the rule.

the reason it is not enabled on all processes by default has to do with running certain applications like games that would cause the game to fail.....this why you have to modify the DEP settings when you convert server 2008 to a work station
 
And for goodness sake, do not believe web browser pop-ups that say you're infected and you need to download an anti-virus to get rid of the virus, for the thing you download is actually the virus and you'll be sorry (and a nuisance to everyone else on the internet.)

#1 way to harden our window machines at my work place -.-
 
Would any of these changes have negative effects?

Well, as with most things, you need to test the changes against your applications. There is certain to be a group of apps that don't respond well to some of these changes. Some apps don't like DEP, for instance. Some probably don't like SEHOP. But I've never run into an app or game that hasn't worked because of these things. I know BF:BC2 crashes if you enable ASLR for all apps, so I didn't even bother including that info on the blog. Bottom line is you just need to thoroughly test your apps, especially in a work scenario, with these changes.
 
Nice little guide. You actually mention DEP which is often overlooked and I don't know why it's still not enabled for all processes by default. Well there are a few things out there still that don't work with DEP enabled but still that is the exception and not the rule.

Not if you are a gamer. Enabling DEP for all processes will be a PITA for a gamer.
 
Not if you are a gamer. Enabling DEP for all processes will be a PITA for a gamer.

It can be but it's easy enough to disable it on a per program basis and newer stuff seems to work better with DEP on these days.
 
Never had a game have a problem with DEP, but I tend to only play newer stuff.
 
Guide has been updated, with information about EMET and IE9 active-X filtering. Just FYI. EMET is a very good tool, I suggest everyone run it and enable protections in EMET for web browsers, adobe reader/acrobat, office programs, media players, and so on.
 
I like your guide to security as there are far too many users that have no idea what to do.
I found another site that is dedicated to educating users on how to secure their computers against the growing hacker threat.

safegadget.com
 
I like your guide to security as there are far too many users that have no idea what to do.
I found another site that is dedicated to educating users on how to secure their computers against the growing hacker threat.

safegadget.com

That's a good guide and site, a little better organized than mine (was in a rush when I made mine and never went back to clean it up), hope it sticks around.
 
When are you doing the next update to your blog?

Well I've covered the basics that I think are important, I'm trying to keep it small and easy to digest, and just cover the important stuff. Will probably add some stuff once Windows 8 comes out if it has any relevant security features, I know one in particular is kind of interesting - secure boot. Besides that I don't see much else I can/should add, do you have any suggestions/requests?
 
Back
Top