Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

General Security General Security
Search Search
Search for:
Tech Support Guy > > >

How-to Install & Configure Windows 7, Security Guide


(!)

machv's Avatar
machv   (Neil) machv is offline machv has a Profile Picture
Computer Specs
Member with 347 posts.
THREAD STARTER
 
Join Date: May 2009
Location: Duncan BC Canada
Experience: Intermediate
17-Oct-2011, 06:03 PM #1
Question How-to Install & Configure Windows 7, Security Guide
I have done a bit of searching through this site for a guide on how to install Windows 7 as safely as possible and have not been able to find one. Regarding minimizing the chances of a reinfection from either a backup or from neglecting to include something during initial setup or from transferring files/folders etc... when upgrading a HDD or buying a new system. I would like to put one together for myself and other users of this site. Starting from the initial formatting of the HDD and install with updates. Then onto a softwares priority list, i.e., AV or antispyware, yada yada yada...

Thanks

P.s., I am going to add a reply fort the list that I can edit as either new ore added info arises.
machv's Avatar
machv   (Neil) machv is offline machv has a Profile Picture
Computer Specs
Member with 347 posts.
THREAD STARTER
 
Join Date: May 2009
Location: Duncan BC Canada
Experience: Intermediate
17-Oct-2011, 06:05 PM #2
Post Steps List
List:
  1. Install OS
  2. (install updates or av?)
  3. ???
lunarlander's Avatar
Computer Specs
Member with 5,585 posts.
 
Join Date: Sep 2007
17-Oct-2011, 09:34 PM #3
For security, I focus on free preventative measures and technologies. My install notes is quite long, here's a condensed summary.

0- Disconnect from the internet. Install Windows and Service Pack. Find out how to do points 1-3 because they need to be applied before connecting to the internet.

1- Disable most listening ports
This is an issue that deals with Windows' network facing code. A listening port may not have issues today, but may reveal vulnerabilities tomorrow. And blackhats don't release their findings like whitehats do, so there are some vulnerabilities that won't get patched for a long time. So, if it is not necessary, it is disabled. Doing a 'netstat -anb' will show you the listening ports and google will tell you how to close them. Note that in Windows 7, port 135 cannot be disabled, thus you have to add a rule to the firewall to block incomming traffic to that port.

2- Disable unneeded Network protocols.
In the window where it lists 'Client for MS Networks, QoS Packet Scheduler, File and Printer Sharing, IPv6, IPv4” etc. The only protocol you need is IPv4. The rest can be unchecked. Inside IPv4 properties, Advanced button, also disable NetBIOS over TCP/IP. If you don't have a router and connect your PC directly to the modem, this step must be done.

3- Set Network to Public profile.

4- Connect to the internet and do Windows Update and install Secunia's PSI.
Of course Windows Update is a must-do item, you should do it now. Then install Secunia's PSI (free), it is a lifesaver because it informs you of security patches that are released. All software that takes input from the net or take input from downloaded stuff needs to be up to date and patched. That includes browsers, plugins, Flash, Acrobat Reader, music players etc.

- Do NOT surf while doing Windows Update. Your browser is not secure yet.

5- Install Antivirus, anti-spyware, and anti-malware
I think everybody in this forum has these 3 covered, so no need to explain.

6- Now install all your applications. Then scan your backup documents, photos and music, and bring them over.

- Don't pirate software.
Hackers are the ones releasing pirated software, keygens and cracks; and they want their share of your PC.

7- Hardening.
Following the security principle of configuring for least privilege/minimal necessary functionality, One should disable a lot of unneeded features that is either not used in your network or not used personally. So things like file and printer sharing, ipv6, windows meeting space, network discovery protocols are gone. Eliminating them make for a smaller attack surface. The more you have enabled, the more the hackers have to play with. And one vulnerable spot is all it takes for a hacker to gain entry. Least privilege means you are only authorized to run the things you absolutely need and no more. So you ACL away your rights to run utilities like the command line FTP program because you never use it. When you get hacked, the attacker gains all the privileges you have currently, and he can do ( and only do ) what you can do. So if you can't run FTP, neither can he, and he can't bring over his tools from his command prompt.

8- Firewall
Set Windows 7's firewall properties to block outbound and only programs you recognize are allowed out. ( things like windows update, antivirus updaters and browsers ) Extraneous rules like those for Network Discovery, Remote Assistance and Core Networking ipv6 related rules are disabled. The settings are in Control Panel >Administrative Tools > Windows Firewall with Advanced Security.

9- EMET (Enhanced Mitigation Experience Toolkit)
A free MS product that configures your system to be less exploitable. The install includes a user guide that explains what it does in detail.

10- Configure Firefox browser to use protected mode.
See this article: http://www.victorc.org/2008/03/inter...d-mode-vs.html

11- Group policy and Local Security Policy
Lots of security settings in these two. MS has a set of documents called "Security Compliance Manager" ( previously called Security Guide ) that tells you what each setting does. Lots of reading to do on this one, but it is worth it. You need Windows 7 Professional or higher to utilize this.

12- Disable unneeded services
Again here is where you minimize the attack surface. Things like IP Helper ( ipv6 tunneling ), remote registry and secondary logon, I turn off. See blackviper.com for his explanation of what each service does. Examine services that react to network, and turn them off if not needed.

13- Create and use a standard user account
Standard/limited user accounts don't have the privileges necessary to modify the system. It can save you from some malware corrupting your system because malware on arrival gets the same rights as your current account. And if you are using a standard account, then they can't make system modifications..

14- Enable Software Restriction Policy in Local Security Policies, if you have Windows 7 Professional or above. This will stop unauthorized apps from running, and will stop things from installing unbeknown to you.

15- Having a router or hardware firewall.
The software firewall is primarily for controlling outbound traffic, because it knows the applications. The perimeter firewall ( router or hardware firewall ) drops unwelcomed incoming packets. Install a router for each zone - so your DMZ, internal network, and extranet each have it's own router.

16- Network Intrusion Detection System
Install one if you have an old PC lying around. Snort is a linux based IDS and it's free. You need either a hub or a switch with a mirror port so it can see all network traffic. It will detect malicious network traffic, and has alerted me to trouble a couple of times ( eg my housemate's pc is sending out backdoor traffic )

17- Security as a on-going process.
Some mistakenly assume that by installing the 3 anti-x will keep you safe. Security is prevention, deter, deny, detect and then delay.
. Regular runs of scanner apps is a must-do.
. Check the Event Viewer regularly for application hangs, windows defender alerts and other system issues. MS has a “Security Monitoring and Attack Detection Planning Guide” that tells you what events to monitor.
. Monitor your other logs, like your firewall and IDS logs.
. Visit sites like ThreatPost once a week to keep an eye out for new vulnerabilities and attack trends, then you'll at least be informed of what threats you are facing.
. Keep a log of every time you use the admin account and what for, so you can cross check with event viewer to see that all admin logins are accounted for.


Note: after hardening your system, you need to test all your applications to see if all still run normally. For example, some apps may not run if certain services are disabled.

Last edited by lunarlander; 18-Oct-2011 at 08:25 PM..
Stoner's Avatar
Account Disabled with 44,931 posts.
 
Join Date: Oct 2002
Location: Dayton,Oh
19-Oct-2011, 08:30 AM #4
Thanks for the list, lunarlander.
machv's Avatar
machv   (Neil) machv is offline machv has a Profile Picture
Computer Specs
Member with 347 posts.
THREAD STARTER
 
Join Date: May 2009
Location: Duncan BC Canada
Experience: Intermediate
19-Oct-2011, 12:47 PM #5
WOW!!! Thanks Man I really appreciate it. TY
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
backing up, fresh install, operating system, security

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑