| Securing Windows 7 I'm finally migrating from XP Pro to Windows 7 and am interested to know what suggestions you have on how to properly tweak the OS to secure it. All I've read thus far is to utilize Windows Defender and set UAC to "always notify". I imagine that there's more to it than that.
I've had XP pretty well locked down and will apply any of the XP tweaks that still apply, which as I recall were:
- show file extensions
- disable windows scripting
- disable autorun
- disable Messenger
- disable file and print sharing
- disable remote assistance & desktop
- tweak IE security settings
- ??
I'll be migrating my various protections over to it (FF with NoScript & Adblock Plus, MWB Pro, Spyware Blaster, Spybot S&D, MVPS Hosts File, running as LUA, behind a router).
The two program changes I'm considering are to move from KAV to Avast Free or Pro and from Kerio 2.15 to Outpost Free or Online Armour Premium (if the key I obtained last year still works).
Is there also any recommended site for tweaking 7 like BlackViper's for XP Pro? |
|
PX EliezerPremium
join:2008-08-09
Hutt River
kudos:13 | BlackViper has extensive Windows7 information, just as he has for XP. |
|
| reply to red2
In addition, searching these forums will give you a lot of info. |
|
|
|
| PX Eliezer, thanks. Haven't been to Black Viper's site since he disappeared for a time. Didn't realize he had done the same for Windows 7.
GolieSkates, I did search here and didn't find much that was specific to "securing windows 7" versus other OS's such as XP. Anything specific you had in mind to look at? |
|
| reply to red2
Few notes about your XP tweaks being used on Windows 7:
said by red2 :- disable autorun
- disable Messenger
- Autorun is disabled for everything except optical drives (CD, DVD): »blogs.technet.com/b/srd/archive/···s-7.aspx
- Do you mean the Messenger service? or MSN/Windows Live Messenger? The Messenger service was disabled in Windows XP SP2 and has been removed as of Windows Vista. And the MSN/Windows Live Messenger is now part of the Windows Live suite of software. So you don't have to do anything for this in Windows 7.
said by red2 :The two program changes I'm considering are to move from KAV to Avast Free or Pro and from Kerio 2.15 to Outpost Free or Online Armour Premium (if the key I obtained last year still works).
I don't think Kerio 2.15 works under Windows 7: »Need a Win7 Kerio alternative firewall
Windows 7 offers a full firewall with inbound and outbound protection and application specific rules. You might be able to just use the built in Windows 7 firewall. Here's how to use the rules of the Win 7 firewall: »blink.ucsd.edu/technology/securi···7-a.html
--
less talk, more music |
|
| reply to red2
I like Online Armor Free over the built in Win 7 firewall. I also suggest Secunia to keep fully patched. I use Microsoft Security Essentials and am happy with it. Best not to run Windows Defender with MSE. |
|
 ZZZZZZZPremium
join:2001-05-27
PARADISE
kudos:1
 ·Shaw
| reply to red2
»www.trustware.com/BufferZone-Pro/
I have the usual defenses,hosts file,spywareblaster etc...........but I also have been using this free app for over a year now and love it.
It works as a virtual system and is very configurable ,easy to unload or surf out of the zone also...........very nice software.
--
~~Go Lions....back to back Cups!!~~ |
|
Reviews:
·Comcast
| reply to red2
I turn on UAC full blast and run as a limited user.
MS Security Essentials.
Palemoon (FireFox with Parental Controls and Redundant code removed)
AdBlock Plus, NoScript, Beef Taco, and WOT.
I also use DeepFreeze since Windows 7 does not support MS SteadyState.
And I keep a clean ghost image on hand.
Dave |
|
 planet
join:2001-11-05
Oz
kudos:1 | I use the win 7 FW with Sphinx Windows7FirewallControl:
»www.sphinx-soft.com/Vista/order.html
Been a couple yrs now. Gives you added control over inbound/outbound. |
|
| Thanks for all these suggestions.
I've been using Secunia as well as Acronis TrueImage with XP and will use them on Win 7 as well.
Since Kerio 2.15 won't work with Win 7, I'll start out with the Windows FF and then test out Online Armour and Outpost.
I will install all the XP tweaks indicated. I had disabled autorun for optical drives in XP, so I will do the same for Win 7. I manually disabled the Messenger service when I installed XP and honestly didn't notice it was effectively disabled with SP2.
So aside from the security tweaks I used for XP, and Black Viper's performance tweaks, are there NO other "security tweaks" to Win 7 as it arrives out of the box other than:
- setting UAC to always notify
- Enabliing Windows Defender
- Enabling SmartScreen Filter in IE8
?? |
|
ZZZZZZZPremium
join:2001-05-27
PARADISE
kudos:1 | quote:
- Enabliing Windows Defender
?
You mean disabling WD right?
It's a garbage app and not worth running.
--
~~Go Lions....back to back Cups!!~~ |
|
2 edits | reply to red2
A few I can think of off the top of my head:
Disable System Restore, unless you use it. It's in System Properties > System Protection, placed and controlled a little differently than under XP but it's self explanatory.
Disable Hibernation, unless you use it. Issue powercfg -h off from an administator privileged command prompt.
Enable CTRL+ALT+DEL for the logon screen: Start > type "netplwiz" in run box > Advanced tab > Secure Logon section > check "Require users to press Ctrl+Alt+Delete". Also enable a screen saver in the normal place and confirm "Upon resume, display logon screen" is checked.
Disable default administrative shares: regedit > create HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters\AutoShareWks as a DWORD type, value 0 and reboot.
Block third-party cookies in your browser's privacy settings as I have discussed here »www.scottbrownconsulting.com/200···privacy/ as a countermeasure against tracking cookies, and install MVPS HOSTS file »winhelp2002.mvps.org/hosts.htm to block ad and tracking domains.
Everyone has their own bag of tricks, it's not important that you conform to any particular set so much as that you understand your exposures and learn as much as you can.
--
Scott Brown Consulting |
|
2 edits | But really, all it takes is common sense. Do not go to shadey websites, do not open attachments from contacts who you do not trust, patch regularly, use a decent NAT router firewall, turn on Win7 firewall, and an AV.
I would also create a Windows image in case you do get bit by malware...Recommended to everyone here. Having an image and next to your PC and offsite as well is a good idea. |
|
| Slajoh01, thanks, but I've secured all my notebooks with XP Pro SP3. And I was asking what changes need to made now that I'm migrating to Win 7.
I'll have to change my FF since Kerio 2.15 is not compatible and some security tweaks I did on XP are no longer necessary on Win 7. And I was wondering if any of the out of the box security features on Win 7 need to be tweaked, such as UAC, which I have read is not as secure as it could be by default.
ZZZZ, I had meant enabling Windows Defender since a few articles suggested it. But if it's worthless, I'll disable it. |
|
| reply to red2
IMO, EMET is a worthy addition too.
»blogs.technet.com/b/srd/archive/···0-0.aspx
Anybody out there still using Belarc Advisor?
As the price of hard drives has fallen over the years ... backing up to at least one other hardware device is a good idea. True Image is excellent, but does no good if the drive fails. |
|
| tholly911,
To be more specific, I use True Image to clone my hard drive to a backup drive as well as the create images on yet a third drive. I've never liked the idea of having an image on the original drive.
More than the falling price of hard drives, I've experienced to many failing drives, even from those just sitting on my desk. |
|
Reviews:
 ·Bell Sympatico
| reply to red2
There are enhancements available for the built-in Windows Firewall to provide some traditional software firewall features (pop-up prompts, etc.).
I've been using Windows Firewall Notifier and have been satisfied.
There's also Windows Firewall Control. |
|
