Вы находитесь на странице: 1из 16

HARDENING WINDOWS 8 AND 10

NETWORK
• Open Control Panel
• Go to Network and Sharing Center, then open
properties under Ethernet
• Disable Microsoft Network Adapter Multiplexor
Protocol, Microsoft LLDP Protocol, Link Layer
Topology Discovery I/O Driver, Link Layer Topology
Responder
SERVICES

Disable the following:


• Application Management
• BranchCache
• Certificate Propagation
• Client for NFS
• Distributed Link Tracking Client
• Family Safety (compatability stub for Vista apps)
SERVICES
Disable the following:
• Function Discovery Provider Host (HomeGroup)
• Function Discovery Resource
Publication (HomeGroup)
• HomeGroup Listener (HomeGroup)
• HomeGroup Provider (HomeGroup)
• Hyper-V Data Exchange Service (Hyper-V VM - Turn
on if feature is used)
SERVICES
Disable the following:
• Hyper-V Guest Service Interface (Hyper-V VM - Turn
on if feature is used)
• Hyper-V Guest Shutdown Service (Hyper-V VM -
Turn on if feature is used)
• Hyper-V Heartbeat Service (Hyper-V VM - Turn on if
feature is used)
• Hyper-V Remote Desktop Virtualization
Service (Hyper-V VM - Turn on if feature is used)
SERVICES
Disable the following:
• Hyper-V Time Synchronization Service (Hyper-V VM
- Turn on if feature is used)
• Hyper-V Volume Shadow Copy Requestor (Hyper-V
VM - Turn on if feature is used)
• Internet Explorer ETW Collector Service
• IP Helper
Disable the following:
• KtmRm for Distributed Transaction Coordinator (MS
recommends to stop this service if not needed)
• Link-Layer Topology Discovery Mapper (network
discovery)
• Microsoft iSCSI Initiator Service (allows LAN or
Internet based storage)
• Netlogon (Active Directory Domain Connections)
Disable the following:
• Network Access Protection Agent (reports security
configuration)
• Offline Files
• Peer Name Resolution Protocol (HomeGroup,
remote assistance)
• Peer Networking Grouping (HomeGroup, remote
assistance)
Disable the following:
• Peer Networking Identity Manager (HomeGroup,
remote assistance)
• PNRP Machine Name Publication Service (server
that responds with a machine name)
• Remote Procedure Call (RPC) Locator
• Sensor Monitoring Service (Enable if your device has
light sensors)
SERVICES
Disable the following:
• Smart Card Device Enumeration Service
• Smart Card Removal Policy
• SNMP Trap
• Storage Service
• Windows Biometric Service
• Windows Connect Now - Config Registrar (Wireless
Setup - simplified configuration)
• Windows Location Framework Service
Local Security Policy

• Go to Control Panel
• Go to Administrative Tools, then Local Security Policy
• Go to User Rights Assignment, then double click
“Deny Access o this computer from the network”
• Add users “Guests, Anonymous Logon, Administrator,
NETWORK SERVICE, SERVICE, SYSTEM, and LOCAL
SERVICE.”
Password Policy
• Double click on Account Policies under Local Security
Policy
• Double click Password Policy
• Set maximum password age to 365 days
• Set minimum password length = 12 characters
• Enable Password must need complexity
Enable Data Execution Prevention
• Right click My Computer, then click on
Properties
• Click on Advanced System Settings, then click
on Performance Settings
• Click on the Data Execution Prevention tab,
then click “Turn on DEP for all programs”
Enable Hidden Files

• Open Windows Explorer, then go to Options. Click on


change Folder and Search Options
• Place a check beside the boxes pertaining to the
following: Always show menus, Display the full path in
the title bar, Show hidden files, folders and drives
• Uncheck the boxes pertaining to: hide drives in computer
empty folder, hide folder merge conflicts, hide extensions
for known file types.
• Go back to Windows Explorer, and view again the pull
down menu; place a checkmark in the box beside File
Name Extensions and Hidden Files.
Screen Saver Enable

• Right click on Desktop and choose Personalize,


then click on Screen Saver
• Configure it to wait 10 minutes, and check
mark "On resume, display Logon screen"
Resources

• http://hardenwindows8forsecurity.com/Harde
n%20Windows%208.1%2064bit%20Home.ht
ml http://www.blackviper.com/service-
configurations/black-vipers-windows-8-1-
service-configurations/