Quick Note Ideally when you begin to harden your operating system you should start with a clean

installation of the system. You can perform the following steps below on an already established system; however if it has been compromised these steps will not help. Section 1 Physical Security Just as hardening the OS itself is important, you want to limit the means someone can access information on the storage medium the OS resides. Configure the BIOS to disable booting from CDs/DVDs, floppies (Remember those?), and external devices, and set a password to protect these settings. This will be BIOS specific I can give more information if you do provide me with your hardware. Perform a full disk encryption of your hard disk. Two popular solutions to perform this task for windows are Truecrypt or Bitlocker. It is important you use a passphrase of at least 15+ characters. Additionally once you have FDE (Full disk encryption) completed, keep in mind when the machine is powered on it is running in an unencrypted state. Therefor when your machine is not in use, it is advised you power down the machine. Section 2 Access Control It is important you maintain a tight grasp on what user accounts have access to your windows system and the permissions these accounts will have. A good standard is to deploy under a least privilege rule set. This means you limit and restrict the permissions and access to the least amount needed to perform tasks. Disable or remove non-user accounts 1)Start > search bar> lusrmgr.msc 2) Go to: Users 3) Disable or remove all Accounts that you do not use (Make sure to look up accounts you are unsure about) (Verify the default administrator and guest accounts are disabled) They should be by default with windows 7. Now establish another admin account and set your main account to limited: In Control Panel, open User Accounts, click Create a new account and make a new account, you can call it what you wish (No_ScriptAdmin for example), make sure you add it to the admin local group. Finally use a strong passphrase for this account. Next go back to the user accounts screen under control panel and change your main account to standard user. The idea here is you will use your limited account for day to day use and click run as administrator when you need to install or modify settings, at which time you will enter your passphrase to continue. Optional Step 1: You can additionally choose to rename the default administrator and guest accounts to further mitigate risk. These accounts represent a security risk because knowing the names of the accounts on a Windows 7 OS is the first step to hacking it remotely. Not knowing the names of the accounts makes it that much harder for a hacker to execute an attack. Optional Step 2 (Highly Recommended) Require Ctrl-Alt-Del for elevation to Admin

Section 3 Application Security I would advise you to deploy applocker for windows 7 (If supported) It replaces Software Restriction Policy (SRP) and provides greater flexibility to govern which applications are allowed to run and from which locations. AppLocker provides a simple and powerful structure through two rule actions: allow and deny. It also provides a means to identify exceptions to those actions. Allow action on rules limits execution of applications to an allowed list of applications and blocks. I would advise you go in with an allowed whitelist. Again following a default deny mindset. If you do not want to use Applocker you can set up software restriction policies (SRP) though they require a bit more to maintain: 1. Log on with an Administrator account. Type gpedit.msc into the Run or Search box on your Start menu, click OK, and Group Policy will open. 2. Go down to Computer Configuration > Windows Settings > Security Settings, as shown in the picture below. 3. Right-click on "Software Restriction Policies" and create new policies. 4. Double-click Enforcement and set the Enforcement to cover all software files. Then apply the Software Restriction Policy to all users except local Administrators. 5. Next in the right window panel, double-click Designated File Types. A panel opens. Go down the list to LNK and click it, then click the Delete button. This adjustment allows you to use your desktop shortcuts and Quick Launch icons. 6. Finally to activate this rule set, Right-click on Disallowed under the Security Levels folder, and set it as the default security level. Additional step if you have a x64 bit machine, Click on Additional Rules and make a new Path Rule for C:\Program Files (x86) to allow software installed in that directory to run. Disable autoplay for removable media 1. Click Start and put gpedit.msc in the search box, then right-click on gpedit.msc when it appears above. Choose Run as administrator and Group Policy Editor opens. 2. Expand Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies and you can disable AutoPlay on all drives. Install and configure EMET You can find and download EMET here Next Run EMET, and click the "Configure System" button. Make sure the following is configured: DEP is set to always enabled SEHOP is set to opt-out ASLR is opt-in enabled

After which you can start to add applications to EMET, select the "Configure Apps" button at the bottom of the window, and use EMET to provide extra protection to your programs. Examples: Web browsers Media players PDF readers

Section 4 Network Unless your network configuration requires it, disable IPv6. IPv6 can be disabled either through the DisabledComponents registry value or through the check box for the Internet Protocol Version 6 (TCP/IPv6) component in the list of items on the Networking tab for the properties of connections in the Network Connections folder. If you are to use windows firewall, make sure to use the advanced security options and block both inbound and outbound connections. For the sake of time, I have limited my network hardening to these simple steps. I will list more with the baseline. Section 5 Backup and Recovery Make sure you perform full daily back-ups of your system; it is good practice to deploy redundancy and diversity in these cases. Make sure you back up to a local external hard drive (With FDE) as well as another hard drive at a different location. This could be a second hard drive you own and you transport to a safe location, or a cloud environment if applicable. I personally use two external hard drives. Section 6 SSLF Windows 7 Customized Security Baseline All these will need to be changed using Group Policy Editor (gpedit.msc). Please note some of these options you will find you already performed above, there is a little overlap though I kept them all here for completeness. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ Minimum password length = 15 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Interactive logon: Do not display last user name = enabled User Account Control: Virtualize file and registry write failures to per-user locations = enabled User Account Control: Only elevate UIAccess applications that are installed in secure locations = enabled User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials on the secure desktop User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) = enabled Shutdown: Allow system to be shut down without having to log on = enabled Interactive logon: Do not require CTRL+ALT+DEL = disabled Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Bypass traverse checking = Users,Network Service,Local Service,Administrators Allow log on locally = Administrators, Users Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\ Require trusted path for credential entry = enabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Do not require CTRL+ALT+DEL = Disabled Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\ Turn off Autoplay = enabled Turn off Autoplay = All drives Default behavior for AutoRun = Do not execute any autorun commands Turn off Autoplay for non-volume devices = enabled Computer Configuration\Administrative Templates\Windows Components\NetMeeting\ Disable remote Desktop Sharing = enabled Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\ Turn off the Windows Messenger Customer Experience Improvement Program = enabled Turn off Help and Support Center "Did you know?" content = enabled Turn off Windows Customer Experience Improvement Program = enabled Computer Configuration\Administrative Templates\Network\Microsoft Peer-toPeer Networking Services\ Turn off Microsoft Peer-to-Peer Networking Services = enabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior Interactive logon: Smart card removal behavior = Lock Workstation Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status Accounts: Guest account status = Disabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account Accounts: Rename administrator account = Not Defined Accounts: Rename guest account = Not Defined

Computer Configuration\Administrative Templates\Windows Components\Windows Mail\ Turn off the communities features = enabled Turn off Windows Mail application = enabled Computer Configuration\Administrative Templates\System\Remote Assistance\ Solicited Remote Assistance = disabled Computer Configuration\Administrative Templates\Windows Components\HomeGroup\ Prevent the computer from joining a homegroup = enabled Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\ Windows Firewall: Public: Allow unicast response = No User Configuration\Administrative Templates\Control Panel\Personalization\ Password protect the screen saver = enabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) = 0 Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked Interactive logon: Display user information when the session is locked = Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the compute System cryptography: Force strong key protection for user keys stored on the computer = Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users User Account Control: Behavior of the elevation prompt for standard users = Automatically deny elevation requests Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Always install with elevated privileges Always install with elevated privileges = Disabled

Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP Turn off downloading of print drivers over HTTP = Enabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory pagefile Shutdown: Clear virtual memory pagefile = Enable Section 7 Privacy hardening Here if you wish you can disable logging events, I have listed the values that are turned on by default as of Windows 7 SP1, these can be useful to determine attack vectors or troubleshooting though if you wish you can go dark by changing the following: (Please note you may cause some applications that rely on generating bug reports to "hang up") Audit Audit Audit Audit Audit Audit Audit Audit Audit Audit Policy: Policy: Policy: Policy: Policy: Policy: Policy: Policy: Policy: Policy: System: Other System Events = No Auditing Logon-Logoff: Logon = No Auditing System: Security State Change = No Auditing Logon-Logoff: Special Logon = No Auditing System: System Integrity = No Auditing Account Management: Security Group Management = No auditing Logon-Logoff: Account Lockout = No auditing Policy Change: Audit Policy Change = No auditing Policy Change: Authentication Policy Change = No auditing Logon-Logoff: Logoff= No auditing

Additional computing habits to keep in mind: Encrypt all data transmitted over your network. Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local area network, it should still be encrypted. Minimize the amount of software installed and running in order to minimize vulnerability. This should be self-explanatory, only allow software you use to run in your windows environment, uninstall and disable any programs or services that are not in use or pose a security risk. Enable security-enhancing software and tools whenever available. (Many of these will be touched on below) Maintain user accounts. Create a good password policy and enforce its use. Delete unused user accounts.

Review system and application logs on a routine basis. Send logs to a separate hard drive location. This prevents intruders from easily avoiding detection by modifying the local logs. Never log in directly as admin, unless absolutely necessary.