/ Windows Administration
/ Windows Client Administration
Windows 7 comes with a more tight security model than previous versions of Microsofts client operating systems, but there are a couple of things you can do to tighten down the security of your Windows computer even more.
1. First of all, you should make sure that the user account you use for day to day work is not member of the Administrators local group. This is because an administrative user account poses a security vulnerability in itself as the administrators on the local machine have access permissions to change system settings.
In Windows 7, the old RunAs command – which could be quite annoying to use in earlier versions of Windows as not all applications supported this, has been integrated more tightly.
Now, whenever you choose to do an administrative Windows task, Windows will prompt you for credentials for an account with administrative permissions eliminating the need to right click and choose RunAs.
The less privileges you have as a user, the less damage you will be able to do to the system by mistake so running the most tasks as a User will improve the overall security of your system.
2. Change your network type to ‘Public’.
When setting up a new network connection, for instance to your newly created wireless network, Windows 7 will prompt you to choose a network type for the network connection. You will have options to choose:
a. Home Network
b. Office Network
c. Public Network
Home network will be more ‘Open’ than Office network as Windows will treat all computers on the network as ‘Good’ and the network type allows for sharing of personal folders and files with all other computers on this network.
Windows will create a home group for all computers on the network and will enable network discovery and File And Printer Sharing on the computer.
Office Network is a little bit more strict, while the Public network type is the most strict. The Public network type will simply disable Network discovery – which will simply hide your computer on the network and File And Printer Sharing will be disabled by default.
If you want a more secure computer and do not need to share your files and do not wish to be part of a Home Group, simply choose the Public network type.
Go to Control Panel\Network and Internet\Network and Sharing Center: Change network type to 'Public'.
3. Enable Windows Updates.
Windows Updates are enabled per default. Make sure the ‘Recommended settings’ are chosen or set it to download and notify for install.
Keeping up with the latest updates can significantly help protect you Windows installation.
4. Enable Windows Firewall and make sure all inbound connections are automatically dropped.
The firewall is enabled per default. If you do not need to share anything with other people and computers, you can safely choose to drop all inbound connections to make sure no one can access anything on your computer from the network.
It is possible to filter on the outgoing traffic in the Windows firewall as well. If you are really up to protecting your personal files, it can be a good idea to filter outgoing traffic and application access as well.
5. Data Execution Prevention (DEP)
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from your computer's memory reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.
DEP can help protect your computer by monitoring your programs to make sure that they use computer memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.
Go to system/ advanced system settings/ performance/ settings/ data execution prevention : Set to all programs
Turn On DEP for all Programs and services except those I select
6. Disable remote assistance and remote desktop connections
If you do not want to allow people messing with your system remotely – that is, if you do not want to give other people the option to connecting to your precious Windows 7 box and playing around with it, you can specify that this will not be an option.
Go to Control Panel\System and Security\System\Advanced System Settings\Remote and uncheck ‘Allow remote assistance connections to this computer’ and ‘Dont allow connections to this computer’.
7. Change User Account Control Settings to highest level
You might get prompted a bit more, but the overall security is raised a bit as you will get prompts for more common administrative system tasks, enabling you to take a stand on whether you will actually allow the specific task to run.
Go to Control Panel\User Accounts and Family Safety\User Accounts\ Change User Account Control Settings = Set to highest level
8. Disable sharing and the NetBios protocol
If you are pretty sure you will not need to share your files over the network, you can go further and completely remove the option to share files.
Disable Netbios over tcp/ip on the network adapters on the computer. Remove check mark on Network and sharing, so that the machine is not using the 'File And Printer Sharing For Microsoft Networks' protocol.
Go to Control Panel\Network and Internet\Network Connections
Right click the adapter of your choice (if you have more than one) and choose Properties.
Double click the ‘Internet protocol version 4 (TCP/IPv4)’. Navigate to ‘Advanced’ and choose ‘Wins’.
Check ‘Disable NetBios over TCP/IP’.
This will block connections to some of the most insecure ports on a Windows operating system – or some of the most exploited.
9. Disable unnecessary services
You can stop for now, but if you are sure exactly what your computer will be used for. You can go any further and disable some of the many services Windows 7 runs, but probably won’t need.
Examples of those services are:
a. TCP/IP Netbios helper
b. Server Service
c. Computer Browser
d. Remote Registry
e. HomeGroup Listener (If you are not intenting to use the homegroup features)
f. HomeGroup Provider (If you are not intenting to use the homegroup features)
There might be many more but I have chosen some of the services used for sharing files and if you do not want your Windows computer to be every mans property, you can safely disable these services to secure your box even more.
I haven’t mentioned a good AV solution and common sense as security steps as I guess they are more or less mandatory for a secure environment.
23-11-2009 by Thomas Møller Nexø
Unique visits since publich date 24703
Comment on this article