A guide I whipped up on hardening Windows Vista / 7.

Discussion in 'Operating Systems' started by devil22, Nov 23, 2009.

  1. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
  2. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    46,548
    Joined:
    Nov 5, 2005
    Nice little guide. You actually mention DEP which is often overlooked and I don't know why it's still not enabled for all processes by default. Well there are a few things out there still that don't work with DEP enabled but still that is the exception and not the rule.
     
  3. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    I appreciate the feedback heatlesssun. Yes, MS has to remain compatible with so much, and unfortunately there are some bone-headed developers out there that do things in their programs that are really bad ideas, and everyone suffers for it. But the situation is improving (IE8 has DEP on by default now, for instance) so there's hope. G'day.
     
  4. Menelmarar

    Menelmarar [H]ardness Supreme

    Messages:
    5,483
    Joined:
    Feb 15, 2001
    A lot of people have Home Premium, should add this tip:

     
  5. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    I don't see the benefit in activating the Administrator account..? [Added registry info for ctrl-alt-del requirement, for home users]
     
    Last edited: Nov 23, 2009
  6. Azhar

    Azhar Fixing stupid since 1972

    Messages:
    19,501
    Joined:
    Jan 9, 2001
    If you don't activate it and protect it with a strong password, a virus will activate it for you - and since it's not protected with a password.. I think you know where I'm going with this.
     
  7. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Ok, but a Virus would need to be admin to activate the Administrator account, so there's no need for the virus to activate the Administrator account. Besides Windows won't allow network connections to accounts that have no passwords.

    [looks like the API requires the old password to change the password] But malware could access and rewrite the SAM database for instance, I think, like the password reset tools do. Bottom line, once the malware has admin on your box, you=pwned.
     
    Last edited: Nov 23, 2009
  8. Menelmarar

    Menelmarar [H]ardness Supreme

    Messages:
    5,483
    Joined:
    Feb 15, 2001
    This statement in your guide:
    Can't make your main account standard, without a second adminstrator account, and instead of just arbitrarily creating a new one. Why not use the one built in? and set a strong password in the process.
     
  9. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Ok, I'll add that when I get a chance, thanks.
     
  10. darkpaw

    darkpaw 2[H]4U

    Messages:
    2,282
    Joined:
    May 29, 2008
    Thanks, there were a few things I was unaware of (primarily setting Firefox to low integrity level).

    I would add one thing, if renabling the built in admin account, also rename it in the local security policy. The vast majority of malware assumes the default administrator account name and that is probably one of the easiest changes that can be made to improve security on any windows system.
     
    Last edited: Nov 23, 2009
  11. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Figured out a way to execute Firefox in low integrity mode without getting the annoying startup prompt, updated page with info.
     
  12. ThreeDee

    ThreeDee [H]ardForum Junkie

    Messages:
    10,452
    Joined:
    Sep 5, 2001
  13. dr.stevil

    dr.stevil [H]ardForum Junkie

    Messages:
    12,027
    Joined:
    Sep 26, 2008
    thanks for the guide, learned a bit from it :)
     
  14. Archer75

    Archer75 [H]ardness Supreme

    Messages:
    6,430
    Joined:
    Oct 10, 2001
    Yes, thank you for the info. Some of it I knew. Other parts reminded me of what I hadn't setup since my install. And I even learned something. All in all a good post. I'm going to forward it to my friends.
     
  15. Drudenhaus

    Drudenhaus 2[H]4U

    Messages:
    3,130
    Joined:
    Sep 27, 2005
    Nice guide, thanks! I'll make note of it for whenever I do my real W7 install (still running RC1).
     
  16. Thuleman

    Thuleman [H]ardness Supreme

    Messages:
    5,841
    Joined:
    Apr 13, 2004
    There's also AppLocker, didn't try it myself yet, but it seems to be the best thing that happened to a MS OS in ... ever.
     
  17. Archer75

    Archer75 [H]ardness Supreme

    Messages:
    6,430
    Joined:
    Oct 10, 2001
    How do you undo that?

    When I did it, it created an admin account and I must enter a password anytime I do just about anything.
    So I removed the admin account but it still has me enter a password on my original account any time UAC comes up. I'd like to get it back to the way it was.
     
  18. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    46,548
    Joined:
    Nov 5, 2005
    http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx

    To change the elevation prompt behavior for administrators
    1.Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

    2.From the Local Security Settings console tree, click Local Policies, and then Security Options.

    3.Scroll down to and double-click User Account Control: Behavior of the elevation prompt for administrators.

    4.From the drop-down menu, select one of the following settings:

    Elevate without prompting (tasks requesting elevation will automatically run as elevated without prompting the administrator)


    Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated)


    Prompt for consent (default setting for administrators)


    5.Click OK.

    6.Close the Local Security Settings window.

    To change the elevation prompt behavior for standard users
    1.Click Start, click Accessories, click Run, type secpol.msc in the Open box, and then click OK.

    2.From the Local Security Settings console tree, click Local Policies, and then Security Options.

    3.Scroll down to and double-click User Account Control: Behavior of the elevation prompt for standard users.

    4.From the drop-down menu, select one of the following settings:

    Automatically deny elevation requests (standard users will not be able to run programs requiring elevation, and will not be prompted)


    Prompt for credentials (this setting requires user name and password input before an application or task will run as elevated, and is the default for standard users)


    5.Click OK.

    6.Close the Local Security Settings window.
     
  19. Archer75

    Archer75 [H]ardness Supreme

    Messages:
    6,430
    Joined:
    Oct 10, 2001
    It tells me I don't have permission.

    edit - I rebooted and it worked.
     
    Last edited: Dec 6, 2009
  20. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Added some stuff some of you may find useful.
     
  21. Bahamut

    Bahamut n00bie

    Messages:
    0
    Joined:
    Apr 27, 2010
    Thread Necromancy!!! :D

    Just kidding... it still shows last update in November 2009, is there a new link or whatever? One would think an update should be presented as "new" with a new date, perhaps... or maybe you can alter the posting title to reflect it's been updated, maybe?
     
  22. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Added date of last update to title, I'll make sure the update date is always posted.
     
  23. Bahamut

    Bahamut n00bie

    Messages:
    0
    Joined:
    Apr 27, 2010
    Some good info there, I've pointed it out to some friends that recently expressed concerns about security running Windows, maybe they'll learn something.
     
  24. Shadowssong

    Shadowssong [H]ard|Gawd

    Messages:
    1,969
    Joined:
    Sep 17, 2009
    Thanks for that, I learned a lot from it and I'm glad to see that win7 64bit is already pretty secure but I added those changes. Thanks!
     
  25. YeuEmMaiMai

    YeuEmMaiMai [H]ardForum Junkie

    Messages:
    14,664
    Joined:
    Jun 11, 2004
    the reason it is not enabled on all processes by default has to do with running certain applications like games that would cause the game to fail.....this why you have to modify the DEP settings when you convert server 2008 to a work station
     
  26. soulesschild

    soulesschild [H]ardness Supreme

    Messages:
    6,323
    Joined:
    Feb 18, 2007
    #1 way to harden our window machines at my work place -.-
     
  27. Jelokin1

    Jelokin1 Limp Gawd

    Messages:
    365
    Joined:
    Mar 31, 2010
  28. evilsofa

    evilsofa [H]ardForum Junkie

    Messages:
    10,088
    Joined:
    Jan 1, 2007
  29. Jon55

    Jon55 2[H]4U

    Messages:
    2,352
    Joined:
    Jul 7, 2008
    Would any of these changes have negative effects?
     
  30. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Well, as with most things, you need to test the changes against your applications. There is certain to be a group of apps that don't respond well to some of these changes. Some apps don't like DEP, for instance. Some probably don't like SEHOP. But I've never run into an app or game that hasn't worked because of these things. I know BF:BC2 crashes if you enable ASLR for all apps, so I didn't even bother including that info on the blog. Bottom line is you just need to thoroughly test your apps, especially in a work scenario, with these changes.
     
  31. mortonP

    mortonP Gawd

    Messages:
    527
    Joined:
    Jun 26, 2010
    Not if you are a gamer. Enabling DEP for all processes will be a PITA for a gamer.
     
  32. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    46,548
    Joined:
    Nov 5, 2005
    It can be but it's easy enough to disable it on a per program basis and newer stuff seems to work better with DEP on these days.
     
  33. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Never had a game have a problem with DEP, but I tend to only play newer stuff.
     
  34. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Guide has been updated, with information about EMET and IE9 active-X filtering. Just FYI. EMET is a very good tool, I suggest everyone run it and enable protections in EMET for web browsers, adobe reader/acrobat, office programs, media players, and so on.
     
  35. sfguy2

    sfguy2 n00bie

    Messages:
    1
    Joined:
    Nov 16, 2011
    I like your guide to security as there are far too many users that have no idea what to do.
    I found another site that is dedicated to educating users on how to secure their computers against the growing hacker threat.

    safegadget.com
     
  36. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    That's a good guide and site, a little better organized than mine (was in a rush when I made mine and never went back to clean it up), hope it sticks around.
     
  37. Finny76

    Finny76 [H]ard|Gawd

    Messages:
    1,138
    Joined:
    Aug 31, 2002
    When are you doing the next update to your blog?
     
  38. devil22

    devil22 2[H]4U

    Messages:
    3,849
    Joined:
    Jan 1, 2003
    Well I've covered the basics that I think are important, I'm trying to keep it small and easy to digest, and just cover the important stuff. Will probably add some stuff once Windows 8 comes out if it has any relevant security features, I know one in particular is kind of interesting - secure boot. Besides that I don't see much else I can/should add, do you have any suggestions/requests?
     
  39. js09

    js09 Limp Gawd

    Messages:
    252
    Joined:
    Aug 29, 2008