Hardening windows 7 guide

Why is this so important? Because bad people have, through innovations of commerce on the dark web, devised a system of cooperation that is shockingly effective. In an environment of inherent distrust think about it — literally everyone involved is, by definition, untrustworthy , they work together. Through the top recommendations, we suggest a prioritized list for securing your devices, with a relative ranking of the overall impact to your security posture. We are also exploring ways to provide useful comparisons using this framework.

Secure score represents our best recommendations for securing your endpoint devices among other things. We thought we should supplement secure score to help people in all these scenarios with the security configuration framework.

The security configuration framework is designed to assist with exactly this scenario. Rather than making an itemized list, we grouped recommendations into coherent and discrete groups, which makes it easier for you to see where you stand in terms of your defensive posture.

In this initial draft, we have defined 5 discrete levels of security configuration. We are releasing this draft version to gather additional feedback from organizations looking to organize their device security hardening program. We are eager to gather feedback on how we could make this guidance more useful, and if there are security controls and configurations you feel may be misplaced or missing!

Questions, concerns, or insights on this story? Follow us on Twitter MsftSecIntel. Skip to main content. Priority What do I do next? Comparison Understanding where you lie in a continuum of security is also valuable. The deadline for Windows 7 end of life is approaching quickly. With only a few weeks to go, organizations around the world are scrambling for ways to protect themselves, facing the inability to carry out security updates.

Before I approach ways in which you can harden your systems, keep in mind that running unsupported operating systems is dangerous. While these techniques will lower your surface area of attack, no cybersecurity solution can fully replace the need to patch and run supported operating systems.

With that being said, regardless of whether you are running an unpatched or patched operating system, there are ways you can harden your environment. Many Windows vulnerabilities stem from the RPC protocol. There are several historic vulnerabilities, including Eternal Blue, which was exploited in to spread the extremely damaging WannaCry ransomware.

By enabling the Windows Firewall, or another third-party firewall, attackers will not be able to access the ports to exploit these vulnerabilities. Internet Explorer is the problem child of Microsoft. What was once the world's leading browser is now a security nightmare. Just two months ago, a vulnerability allowed attackers to launch fileless malware attackers with minimal effort. I found that the amount of produced logs is reasonable.

But you may not agree with me. The FIPS setting can cause problems. For example: connecting to the default Windows XP remote desktop service is not possible! The settings in this template are very restrictive. As an advanced user you may ignore them. The most helpful setting in this template is the "Display for user setting" group. Let's have a look at them. Also in this template, you should check the following settings, whether they suit your requirements: Prevent ignoring certificate errors If you are an advanced user, you may want to disable it.

If you are an advanced user, you may want to disable these policies to have access to these pages. You may ignore this policy as it disables some basic functionality as "Changing certificate settings", "AutoComplete for forms" or "Save this program to disk option". You may need those as an advanced user. The SCM manager allows you not only to change settings in the default templates, but also to add your own settings and save them in your customized templates.

Generally, you should not run any components, especially network based, if you do not use them. By disabling them, you decrease the exposure of your system against future vulnerabilities and attacks.

For more relaxed configuration for example: for home , you may want to use file sharing, remote desktop and maybe you don't want to type password in UAC control each time. Then you should consider changing these settings:. There are 4 levels of UAC in Windows7, the default level 3 indeed produces less window prompts, but unfortunately due to that it is much easier to bypass it completely.

Therefore, I recommend to use the strictest level 4 " Always Notify ". You should be always informed, when an application uses administrator privileges. This way, you will have a chance to exclude certain applications, which do not work correctly with these mechanisms. Next, choose ' configure apps ' to implement full EMET protection on programs, which access the Internet.

I used it on the following applications:. You want to use the built-in Windows7 firewall if you care mainly about inbound traffic.

Of course you have options to filter outbound traffic.