1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How-to Install & Configure Windows 7, Security Guide

Discussion in 'General Security' started by machv, Oct 17, 2011.

Thread Status:
Not open for further replies.
  1. machv

    machv Thread Starter

    May 23, 2009
    I have done a bit of searching through this site for a guide on how to install Windows 7 as safely as possible and have not been able to find one. Regarding minimizing the chances of a reinfection from either a backup or from neglecting to include something during initial setup or from transferring files/folders etc... when upgrading a HDD or buying a new system. I would like to put one together for myself and other users of this site. Starting from the initial formatting of the HDD and install with updates. Then onto a softwares priority list, i.e., AV or antispyware, yada yada yada...


    P.s., I am going to add a reply fort the list that I can edit as either new ore added info arises.
  2. machv

    machv Thread Starter

    May 23, 2009

    1. Install OS
    2. (install updates or av?)
    3. ???
  3. lunarlander


    Sep 21, 2007
    For security, I focus on free preventative measures and technologies. My install notes is quite long, here's a condensed summary.

    0- Disconnect from the internet. Install Windows and Service Pack. Find out how to do points 1-3 because they need to be applied before connecting to the internet.

    1- Disable most listening ports
    This is an issue that deals with Windows' network facing code. A listening port may not have issues today, but may reveal vulnerabilities tomorrow. And blackhats don't release their findings like whitehats do, so there are some vulnerabilities that won't get patched for a long time. So, if it is not necessary, it is disabled. Doing a 'netstat -anb' will show you the listening ports and google will tell you how to close them. Note that in Windows 7, port 135 cannot be disabled, thus you have to add a rule to the firewall to block incomming traffic to that port.

    2- Disable unneeded Network protocols.
    In the window where it lists 'Client for MS Networks, QoS Packet Scheduler, File and Printer Sharing, IPv6, IPv4” etc. The only protocol you need is IPv4. The rest can be unchecked. Inside IPv4 properties, Advanced button, also disable NetBIOS over TCP/IP. If you don't have a router and connect your PC directly to the modem, this step must be done.

    3- Set Network to Public profile.

    4- Connect to the internet and do Windows Update and install Secunia's PSI.
    Of course Windows Update is a must-do item, you should do it now. Then install Secunia's PSI (free), it is a lifesaver because it informs you of security patches that are released. All software that takes input from the net or take input from downloaded stuff needs to be up to date and patched. That includes browsers, plugins, Flash, Acrobat Reader, music players etc.

    - Do NOT surf while doing Windows Update. Your browser is not secure yet.

    5- Install Antivirus, anti-spyware, and anti-malware
    I think everybody in this forum has these 3 covered, so no need to explain.

    6- Now install all your applications. Then scan your backup documents, photos and music, and bring them over.

    - Don't pirate software.
    Hackers are the ones releasing pirated software, keygens and cracks; and they want their share of your PC.

    7- Hardening.
    Following the security principle of configuring for least privilege/minimal necessary functionality, One should disable a lot of unneeded features that is either not used in your network or not used personally. So things like file and printer sharing, ipv6, windows meeting space, network discovery protocols are gone. Eliminating them make for a smaller attack surface. The more you have enabled, the more the hackers have to play with. And one vulnerable spot is all it takes for a hacker to gain entry. Least privilege means you are only authorized to run the things you absolutely need and no more. So you ACL away your rights to run utilities like the command line FTP program because you never use it. When you get hacked, the attacker gains all the privileges you have currently, and he can do ( and only do ) what you can do. So if you can't run FTP, neither can he, and he can't bring over his tools from his command prompt.

    8- Firewall
    Set Windows 7's firewall properties to block outbound and only programs you recognize are allowed out. ( things like windows update, antivirus updaters and browsers ) Extraneous rules like those for Network Discovery, Remote Assistance and Core Networking ipv6 related rules are disabled. The settings are in Control Panel >Administrative Tools > Windows Firewall with Advanced Security.

    9- EMET (Enhanced Mitigation Experience Toolkit)
    A free MS product that configures your system to be less exploitable. The install includes a user guide that explains what it does in detail.

    10- Configure Firefox browser to use protected mode.
    See this article: http://www.victorc.org/2008/03/internet-explorer-7-protected-mode-vs.html

    11- Group policy and Local Security Policy
    Lots of security settings in these two. MS has a set of documents called "Security Compliance Manager" ( previously called Security Guide ) that tells you what each setting does. Lots of reading to do on this one, but it is worth it. You need Windows 7 Professional or higher to utilize this.

    12- Disable unneeded services
    Again here is where you minimize the attack surface. Things like IP Helper ( ipv6 tunneling ), remote registry and secondary logon, I turn off. See blackviper.com for his explanation of what each service does. Examine services that react to network, and turn them off if not needed.

    13- Create and use a standard user account
    Standard/limited user accounts don't have the privileges necessary to modify the system. It can save you from some malware corrupting your system because malware on arrival gets the same rights as your current account. And if you are using a standard account, then they can't make system modifications..

    14- Enable Software Restriction Policy in Local Security Policies, if you have Windows 7 Professional or above. This will stop unauthorized apps from running, and will stop things from installing unbeknown to you.

    15- Having a router or hardware firewall.
    The software firewall is primarily for controlling outbound traffic, because it knows the applications. The perimeter firewall ( router or hardware firewall ) drops unwelcomed incoming packets. Install a router for each zone - so your DMZ, internal network, and extranet each have it's own router.

    16- Network Intrusion Detection System
    Install one if you have an old PC lying around. Snort is a linux based IDS and it's free. You need either a hub or a switch with a mirror port so it can see all network traffic. It will detect malicious network traffic, and has alerted me to trouble a couple of times ( eg my housemate's pc is sending out backdoor traffic )

    17- Security as a on-going process.
    Some mistakenly assume that by installing the 3 anti-x will keep you safe. Security is prevention, deter, deny, detect and then delay.
    . Regular runs of scanner apps is a must-do.
    . Check the Event Viewer regularly for application hangs, windows defender alerts and other system issues. MS has a “Security Monitoring and Attack Detection Planning Guide” that tells you what events to monitor.
    . Monitor your other logs, like your firewall and IDS logs.
    . Visit sites like ThreatPost once a week to keep an eye out for new vulnerabilities and attack trends, then you'll at least be informed of what threats you are facing.
    . Keep a log of every time you use the admin account and what for, so you can cross check with event viewer to see that all admin logins are accounted for.

    Note: after hardening your system, you need to test all your applications to see if all still run normally. For example, some apps may not run if certain services are disabled.
  4. Stoner

    Stoner Banned

    Oct 26, 2002
    Thanks for the list, lunarlander.
  5. machv

    machv Thread Starter

    May 23, 2009
    WOW!!! Thanks Man I really appreciate it. TY
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1022742