Hardening Windows 7

 

This page is about hardening Windows 7 - it is written around Windows 7 on a Toshiba laptop, however quite a lot of the information on the page will be relevant to other installations.

Hardening an operating system is the process of closing down as many of the unused services and programmes as possible - most services, processes, protocols, and programmes that are running on an operating system introduces some kind of additional risk of attack.

Unfortunately, Microsoft still have a bad habit of running many of these things by default on their operating system, in the belief that it makes it easier to use the computer in different ways. It would be much safer if Microsoft ran as little as possible by default, and left it to users to turn on the services or process or protocols or programmes as required. But for whatever reason, they don`t.

Added to that, computer manufacturers seem determined to make their product more attractive by including all kinds of software which adds to the risk. So this needs to be looked as well.

So this web page looks as various ways to harden Windows 7.

 

Connecting to a network

I strongly recommend that a computer is not connected to a network until it has been hardened. Until it has been hardened it is quite a bit more vulnerable to attack, and even respected websites may be delivering malware, because the web server has been attacked.

There is also a possibility that other computers on the same network are infected, and are trying to cross infect the other computers on the network.

There is a bit of a conundrum here - how do you do a Windows update to make the computer more secure, without connecting to a network, and to the internet ?

I don`t have an answer to this one, except to suggest you do as much hardening as possible, before connecting to Windows Update

 

User accounts and passwords

The account that is set up when Windows is first installed and configured by the user is the administrator account. Don`t use this account for normal day-to-day work. Only use it for administration.

Go to Start menu / Control panel / User accounts.

Create a new account that is a Standard user, and give it a decent password - use this account for day-to-day stuff.

If you are doing stuff with the administrator account, and you get attacked, the attacker can do ANYTHING to your computer.

If you are doing stuff with a Standard account, an attacker would be much more limited in what they could do.

 

Stopping programmes running by default

If the computer is an off-the-shelf item from one of the bigger manufacturers, it will probably be set up to run all kinds of things at start-up.

Finding from where they are run can be a bit time-consuming - some will be run from start-up menus, some from the registry, and so on. Probably the easiest way to stop them is through a Microsoft tool - Msconfig.

Msconfig is a GUI tool which is fairly simple to use. There are three ways to run it.

One small snag is that in Windows 7, the Run command isn`t shown in the Start menu. However it can be shown -

In msconfig, select the Startup tab, and untick the boxes for all the items that you don`t want to start by default at start-up.

I am afraid that Toshiba are rather guilty of running a lot of Toshiba programmes by default - some of them are quite obscure as to what they do, and some of them are decidely iffy as far as security is concerned. Watching a Toshiba laptop boot up with Wireshark on a private network shows a lot of attempted communication with several different remote internet sites. I have unticked the boxes in msconfig for every listed Toshiba programme, and so far Windows has worked fine without them. I`m heading towards un-installing all the Toshiba programmes.

 

Removing programmes

Every programme installed on a computer increases the vulnerability by a greater and lesser amount - except hopefully programmes designed to find malware such as anti-virus software. So un-install as much of it as possible.

Computer manufacturers tend to be guilty of installing all kinds of programmes which they think will make their product more attractive. Often known as bloatware, the more that can be removed the better.

There is an additional advantage in doing this, as much of this bloatware will be run at start-up, and so is consuming memory space and cpu time, so will slow the computer down.

If you are in the fortunate position of being provided with a Windows 7 installation DVD along with the computer, the ideal thing to do would be to wipe the computer, and install Windows 7 from scratch, so you get a clean installation of Windows 7, without all the bloatware.

Removing programmes rarely completely removes all traces of the programme, some debris always gets left behind, so doing a clean install of Windows 7 is preferable.

However you would have to sort out all the drivers required, so doing an install from scratch isn`t always just too straightforward.

If the computer doesn`t come with a Windows 7 installation DVD, but instead has a recovery partition on the hard drive - then you are stuck with uninstalling each programme one by one.

I strongly recommend that you make a back-up of the recovery partition before you start un-installing the bloatware, just in case things go seriously wrong during the uninstalls - this can happen. Both installing and un-installing software can upset the operating system, un-installing software seems to be a bit more risky than installing software.

Toshiba laptops with recovery partitions will usually have a Toshiba programme to create the back up DVD`s.

Also make sure that all the data on the computer is backed up on some device external to the computer.

In particular look for and get rid of any programmes that allow incoming traffic which the programme has not requested. Messenger programmes are famously bad for this - every so often they generate and send out some traffic to no-one in particular - the sole purpose of this is to keep open a hole through stateful firewalls, so unsolicitated traffic can come in through the firewall at any time.

Another one to look out for is the Flash player - on an off-the-shelf computer running Windows 7, this will almost certainly be an ActiveX version of the Flash player which is designed for the Internet Explorer / Windows environment.

ActiveX is a technology designed by Microsoft to allow web designers to pull up other programmes from within Windows - it was intended to enhance the performance and capability of websites. However it also allows malicious attackers to do unpleasant things deep inside Windows.

If you want the Flash player on the computer - you will be struggling with a lot of websites without Flash - use a different browser like Firefox or Opera, and download the non-ActiveX version of the Flash player.

Unless you really need it, Java should be uninstalled. Java can be used by attackers to make modifications to the computer, and unless it is upgraded and updated regularily, it will have weaknesses.

 

Removing protocols

Windows 7 comes with communication systems that are new to Windows 7, as well as technologies that are much older, for backward compatibility with older versions of Windows. Some of these are famously insecure - NetBIOS is one, and is a common route for malicous attacks on Windows. It is enabled by default in most versions of Windows - including NT, 2000, XP, and even Server 2008.

The infamous Conficker worm variants A, B, C, and E all used NetBIOS to reek their havoc on so many computers in 2009. Don`t underestimate the risk of enabling NetBIOS on a computer.

Go to the Start menu / Control panel / Network and sharing centre / Change adapter settings / Right click on Local area connections

Select Properties

You will probably see a list of 7 items, all with ticked boxes. Many of these are weak spots - get rid of as many as you can, that you don`t need.

For a basic Ethernet LAN connection, the only two required ones are

The other ones all depend on how you want to use the computer - but they all lower the security of the computer. You can untick the boxes to kill them, but a better method is to uninstall them. This has the advantage that it removes them from the wireless connection as well.

Now highlight "Internet Protocol Version 4 (TCP/IPv4)", click on Properties, click on Advanced, click on the Wins tab. Unless you really need it - select "Disable NetBIOS over TCP/IP".

If you are going to use some of the Microsoft file sharing technologies, you may need NetBIOS.

If Windows 7 is on a laptop, repeat all this for the Wireless network connection.

There may be other types of connections listed, eg - VPN`s. You may need to repeat all this for them as well.

 

Stopping services

It would be a big improvement in the security of Windows if Microsoft didn`t run a lot of services by default, and instead left it to users to switch on services if they need them.

To help harden Windows 7, there are many services that can be disabled - but as before, it depends on how you want to use the computer.

Be prepared to spend quite a lot of time working out which services can be safely disabled, and which ones are required for the way you want to use the computer. You need to take account of service dependencies, as well as the primary function of the service.

Msconfig allows you to control services, but using it for this is more for stopping services in the course of fault finding, rather than for permanent configuration.

A better tool is the Services tool available through Start menu / Control panel / Administrative tools / Services.

To change whether a service starts up automatically, is started manually, or is disbled, highlight the service, right click on it, and select Properties.

Some of the services in Windows 7 are legacy services that are the same as on NT, 2000, or XP - if you don`t want interaction with older versions of Windows, they can be disabled.

I`m still working my way through them all, but here are some of the services that so far, I reckon can be disabled - this list is built around the way I use Windows 7 - you`re list will probably need to be different. The Startup Type after each service is the original setting.

There are probably more services that can be disabled, it does depend on how you are going to use Windows.

 

Windows 7 firewall

The Windows 7 firewall has become a rather complex part of the operating system - and the risk is that the complexity can possibly lead to it being misconfigured.

The Windows 7 firewall is more complex that that on earlier Windows versions, and is similar to that on Server 2008 and Server 2008 R2.

Windows 7 provides two GUI tools to control the firewall -

There is also a "netsh advfirewall" command line environment.

The Windows Firewall with Advanced Security MMC snap-in can be run -

The Windows Firewall with Advanced Security MMC snap-in allows for deep configuration of the firewall, such as rules, Group policy, control via IPsec, and monitoring.

----------------

At the centre of the Windows 7 firewall, there is a normal stateful firewall - when an application or service on the computer requires some interaction with a remote server, packets are sent out through the firewall to the server.

The firewall records these packets in a type of database, known as a state table - where the packets came from, and the address of the server they were sent to.

When the server replies, it sends different packets back to the computer - the firewall looks in its state table and sees that these are legitimate packets related to the packets that were sent out, and lets them through the firewall, and onto the application.

However if another server or remote computer sends a packet to the computer, the firewall looks at it, looks in its state table, decides that the packet is not a legitimate solicited packet, and rejects it.

This type of firewall is now widely used.

The Windows 7 firewall adds a huge number of rules which are intended to additionally filter out wanted and unwanted packets - or cut holes through the stateful firewall mechanism, and allow specific types of unsolicated packets in through the firewall.

All these rules are either in one of, or in the other of, two sets -

As far as Microsoft are concerned, the default -

By default, the firewall will allow all outgoing packets. So the outgoing rules can be used to block some specific types of traffic. There does seem to be a wide diversity of opinion amongst security people as to whether it is a good idea to have a default allow policy for outgoing packets - some people say there should be a default block policy for outgoing packets. A big downside of this is that you then have to manually create rules to allow outgoing packets for each programme that requires them. So that is a bit of an extra administrative overhead.

Outgoing rules can also be used to allow specific packet types out through the firewall, if the firewall is configured to have a default block on all outgoing packets. I believe that a default block policy can be applied to the firewall by either the local security policy or a Group policy from Active Directory - however Windows 7 Home Premium doesn`t support either of these.

However it doesn`t appear to work if you create a block-all rule, and then create an allow-specific rule - the block-all rule wins, and the packets don`t get out. This makes it quite difficult to have a block-all policy using rules.

It divides these two sets of rules up into three groups called Profiles -

Each network connection can be allocated to one of the profiles - except that Microsoft have made this more difficult than it needs to be.

First off, you can`t allocate a network connection to a profile until the network connection is already live. It would be far safer if you could do the configuration before connecting.

Secondly, when doing the allocation, it doesn`t refer to profiles, it refers to network locations - in Windows 7 Home Premium, they are called Home, Work, and Public. There may be a Domain location in Windows 7 Professional or Enterprise, but I don`t have access to them.

The allocation is done via the Start menu / Control panel / Network and sharing centre.

If you dig around through the various screens, you eventually find that

I am afraid to say that I do not agree with the Microsoft assumption that home and work networks are safe - by definition, any network that has computers on it that can connect to the internet is unsafe -

There are several ways that malicious content can be introduced onto computers, and the average layer 2 or 3 network firewall or home router will not see that malicious content.

Once one of the computers has been compromised, it will usually try to attack the other computers on the same network.

So if you are serious about protecting your computer, always select the Public network location.

Just for completeness, just because the Home and the Work network locations are both associated with the firewall Private profile, it doesn`t mean they are the same.

The Private profile has rules for both network discovery and for HomeGroup. The Public profile does not have rules for either.

The Private profile has rules which would cut holes for the legacy File And Printer Sharing, but they are not enabled by default. The Public profile does not have any rules for File and Printer Sharing.

Along with others, it is these differences that make the Public profile the more secure option - and is why you should use the Public network location.

Don`t be lulled into complacency by the fact that you have disabled services or protocols - the holes through the firewall that these services or protocols would normally use may still be there, even if the services and protocols themselves have been disabled. These holes provide routes into your computer through the firewall, and can be used by attackers.

Something that may cause some problems in a Work environment is that in the Private profile, many of the default rules limit valid source addresses to those on the local subnet. In the Home environment, it is unlikely there will be more than one subnet, however in the Work environment there could well be more than one subnet. It is a security benefit in limiting source addresses in this way, however it is something to be aware of because of the potential for causing problems.

Now if you are sufficiently paranoid - you may decide that the Private profile and the Domain profile are not required, and it would be safer if they didn`t exist. So you can go in to the rulesets, and delete all the rules that are only in these two profiles. Don`t delete rules that are marked as "All" or also in the Public profile, or you will break the Public profile as well.

----------------

Another problem that the Windows firewalls have had ever since they appeared in XP SP2 is that applications or application installers can cut holes in the firewall for themselves. If you look at the rule set of the Windows firewall on an off-the-shelf computer with bloatware on it, you will almost certainly see rules that have been created by the installation of the bloatware.

Fortunately, Microsoft have provided a solution to this - it is the "Restore defaults" link on the home page of the Windows 7 firewall configuration tool available through Control panel.

In many cases, the uninstallation of the application will actually remove the rules from the firewall, however this isn`t always the case.

So a possible course of action would be to remove all the unwanted bloatware from the computer, then use the "Restore defaults" link.

Another thing that can happen is that an application can change an existing rule, rather than adding a new rule - uninstalling the application will not necessarily reset the rule back to where it was. Using the "Restore defaults" link will set things back to the default.

Be aware of the warnings that Microsoft provide before the "Restore defaults" link actually does its business - some wanted programmes may be affected. So use the "Restore defaults" before installing any new applications.

----------------

Digging a bit more into the rules will reveal that there are 19 rules that are all named "Core networking -.........", and are enabled for all three profiles.

17 of these relate to IPv6 - if you are not going to be needing IPv6, then I reckon they should all, or nearly all, be disabled. Having all these holes cut through the firewall for IPv6 is quite a weakness in the firewall.

Teredo is an encapsulation process for tunnelling IPv6 over IPv4 networks - so it is a weakness as well.

Of the 19, the one that is most likely to be needed is "Core networking - Dynamic Host Configuration Protocol (DHCP-In)" - unless your computer has got a fixed and internally configured IP address, you will need it for the LAN connection. Wireless will almost certainly need it.

----------------

One of the things that concerns me is the existence of all the default rules - most of which are not enabled.

I am concerned about it because I wonder if having rules that are not enabled is itself a security risk - my personal view is that maybe they should all be deleted, and the only rules that exist are those that are actually being used.

It would certainly make it easier to "see" what rules are in use, and so what holes have been cut through the firewall.

It would also make it safer, because instead of having a rule which applies to any source address and any destination address, rules could be custom designed to limit source and/or destination IP addresses to one specific computer or network.

The Windows 7 firewall MMC snap-in allows you to create your own rules which can be used to either allow or block packets based on

The firewall also allows you to Export the list as tab or comma delimited .txt or .csv files, so you rule set can be used on multiple computers.

At least that is the theory - so far I haven`t found how to import a list using the GUI firewall management tool on Windows 7 Home Premium. I don`t know if Windows 7 Professional and Enterprise are different.

An alternative may be to use the command line tool "netsh advfirewall" to import it.

In theory it is quite safe doing all these changes to the ruleset, because you should get them all back by selecting the very useful "Restore defaults" link again.

----------------

Going back to the user orientated GUI "Windows Firewall Control Panel" which is available through Start menu / Control panel - Microsoft have fallen into the same hole that they so often fall into - they create a complex system that requires a good technical understanding to configure it properly - then they decide that many users will not have the ability to understand the system, so they create an easy-to-use GUI tool which does the configuration for them.

They did it with Simple File Sharing in XP - they decided that people wouldn`t be able to find their way through the quite complex NTFS file sharing access control - so they provided Simple File Sharing, which threw away all the protection of the access control in NTFS.

In the top left hand corner of the home screen of Windows Firewall Control Panel there is a link to "Allow a program or feature through Windows Firewall".

With this tool, just a single click on a box will add to the ruleset one or several rules which cut holes through the firewall - and the default action is to add them to the Public profile.

It is frighteningly easy to cut huge holes through the firewall, to the extent that the firewall might as well not exist for the Public profile.

I can see the problem that Microsoft have of building operating systems that are useable, but did they have to make it quite so easy to stop the firewall doing its job, especially on the Public profile, with no warnings of any kind ?

----------------

That is as far as I have got so far with the Windows 7 firewall - I keep finding out more about it. It has its good points, and it has its bad points.

I think it is a weakness that Microsoft have only used Incoming rules to cut holes through the firewall, and not to block some types of incoming packets, such as

There is a bit too much reliance on the stateful characteristic of the firewall, and it is well known that these have weaknesses.

Another weakness is that creating a block-all outgoing rule does not actually block everything - on boot-up Windows 7 still advertises itself using Link-Local Multicast Name Resolution on 224.0.0.252. I prefer that my computers don`t advertise themselves to the world.

On the plus side, the Windows 7 firewall is better than the Windows XP firewall.

I haven`t looked at Group Policy, or the use of IPsec. In fact, as shown in the list above, I have currently disabled the IPsec service. However IPsec may be required for some websites where authentication or encryption is required.

One of the uses of IPsec is to allow remote configuration of the firewall - I`d rather live without that !

 

LLMNR

As mentioned above, Windows 7 advertises itself using LLMNR, and it can`t be stopped using the firewall.

LLMNR multicasts UDP messages on port 5355. It may also use TCP on port 5355.

It can be regarded as a security risk, as the host transmits multicast LLMNR packets which identify the host.

In addition, as the Windows firewall is a stateful firewall, the outgoing packets will cut holes through the firewall for incoming packets for a period of time on port 5355 - this provides a hole for attack. So it is better to disable LLMNR if it is not required.

On the higher versions of Windows 7, Group policy can be used to disable LLMNR.

On Windows 7 Home Premium, LLMNR can be disabled by a registry entry - the key doesn`t exist by default, and needs to be created. The key is


       HKLM/Software/Policies/Microsoft/WindowsNT/DNSClient/

Create a DWORD called "EnableMulticast" with a value of "0".

There is a bit more about LLMNR in my web page about Windows 7 Name Resolution.

 

Network Location Awareness

Network Location Awareness is a service for identifying what types of network the computer is connected to. It can be used to decide if a network connection should be part of the Public profile or the Private profile, once the administrator has made a choice about it.

It can also be used by applications that are NLA aware to react to changing network connections, such as might be experienced by a roaming laptop, which might be used on LAN`s, then on WiFi, for example.

So it may be useful from that point of view. However it has a couple of security downsides - every time the computer is started, or reconnects to a network -

The list above of disabled services therefore includes the Network List Service and the Network Location Awareness service.

However if you think you need this service, but don`t want the computer to connect to the web server at "www.msftncsi.com", this action can be stopped via a registry entry - go to the key


       HKLM/System/CurrentControlSet/Services/NlaSvc/Parameters/Internet/

Change the DWORD called "EnableActiveProbing" to the value of "0"

 

Other ways to harden Windows 7

There are other ways to harden Windows 7 which I haven`t got in to yet - such as User access control, Local security policy, and Group policy. So all the above is really just a start, and the bits that I see as more relevant to stand-alone computers.

 

 

 

 

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

Link to the W3C website.   Link to the W3C website.