For example, back in the day with XP I was told it was wise to to go into your network adapters (both Ethernet & Wireless) and disable the NetBIOS and all IPv6 functions. It was also wise to go in and disable certain services you would never use – like Remote Desktop.
Does anyone have a link to a solid/reputable Windows 8.1 “101 security tweak article – relative to a home machine with no corporate connectivity?
===========================My Straw Man Inventory (What I think I may know):
- Confirm UEFI secure boot (precludes much of root kit malware)
- Enable the Ctrl-Alt-Del login option - for boot; and also challenge when machine awakens (greatly reduce (preclude?) risk of hacked remote login)
- Disable “Remote Assistance Connections to this Computer”, from System
- Create a non-Administrator user account and use that day to day for web browsing and such. Only login as Administrator when you need to (like installing apps.)
- Review Firewall settings. Delete all green “allow” rules for:
- - F5.vpn.client,
- - Juniper Networks Junos Pulse
- - CheckPoint.VPN
- - Proximity sharing over TCP
- - Remote Assistance (like 12 entries)
- - Basically everything except for “Core Networking”, and maybe Skype – FOR BOTH Inbound and Outbound rule sets.
- - I also disabled all Outbound connections for the Domain Profile, and the Public Profile – leaving the Private Profile (my profile) active for Outbound, so I can send browser requests and such. That may be too much, but Defender updates seem to work. Not sure yet if I've stiff-armed certain truly-required Windows functions.
- I assume disabling NetBIOS and IPv6 from both network adapters is no longer required for Windows 8.1 – but you know what they say about those who assume – so I did it anyway.
- I also uncheck "File Share" item on each of the Eathernet and Wireless adapters - since I don't do that.
I turned OFF all “Windows Features” except .NET & Powershell 2.0 – including these:
- Internet Explorer 11 (I never use it. Firefox and Chrome only)
- Media features (I use VLC & IrfanView)
- Remote Differential Compression API Support
- Print and Document Services (both nested: Internet Printing Client & Windows Fax and Scan)
- SMB 1.0/CIFS File Sharing Support
- Windows Location Provider
- Work Folders Client
- XPS Services
- XPS Viewer
Disable services (Winkey+R services.msc - NOT msconfig) - disable the following [the OEM state is listed for “roll-back” reference] (Black Viper is always the go-to guy for me for these things: » Black Viper?s Windows 8 Service Configurations) - minor variations are listed below (probably because I'm running 8.1 and his list if for 8)
- Bluetooth support services (Manual (Trigger Start)) (I don't use on my desktop)
- Certificate Propagation (Manual)
- Distributed Link Tracking Client (Automatic)
- Family Safety (Manual)
- Hyper-V Data Exchange Service (Manual (Trigger Start))
- Hyper-V Guest Service Interface (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Hyper-V Guest Shutdown Service (Manual (Trigger Start))
- Hyper-V Heartbeat Service (Manual (Trigger Start))
- Hyper-V Remote Desktop Visualization Service (Manual (Trigger Start))
- Hyper-V Time Synchronization Service (Manual (Trigger Start))
- Hyper-V Volume Shadow Copy Requester (Manual (Trigger Start))
- Microsoft iSCSI Initiator Service (Manual)
- Netlogin (Manual)
- Network Access Protection Agent (Manual)
- Offline files (Manual (Trigger Start)) - Note: on his list - not in my services - maybe I already turned that off with Features?
- Remote Access Auto Connection Manager (Manual) - Not disabled on his list? I did.
- Remote Access Connection Manager (Manual) - Not disabled on his list? I did.
- Remote Desktop Configuration (Manual) - Not disabled on his list? I did.
- Remote Desktop Services (Manual) - Not disabled on his list? I did.
- Remote Desktop Services UserMode Port Redirector (Manual) - Not disabled on his list? I did.
- Remote Procedure Call (RPC) Locator
- Secondary Logon (Manual) - Not disabled on his list? I did.
- Sensor Monitoring Service (Manual (Trigger Start))
- Smart Card Device Enumeration Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Smart Card Removal Policy (Manual)
- SNMP Trap (Manual)
- Storage Services (Manual (Trigger Start)
- Touch Keyboard and Handwriting Panel Service (Manual (Trigger Start)) - Not disabled on his list? I did.
- Windows Biometric Service (Manual)
- Windows Connect Now - Config Registrar (Manual)
- Windows Encryption Provider Host Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Windows Media Player Network Sharing Services (Manual) - Not disabled on his list? I did.
- Windows Location Framework Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Windows Remote Management (WS-Management) (Manual) - Not on Black Viper's list – 8.1 addition?
Notes: (before any of the tweaks above)
- All Windows updates – upgraded to 8.1 – then all Windows updates again. Do all that first.
- Defender: On/Updated/Full-scan
- I also run Malwarebytes. I'm waiting a bit for a good deal from Fry's or whatever to run in the full-time "Pro" mode.
- I boot to desktop, not RT
- I log into the Lenovo Tower with “local” account – not email@example.com. Don't know if that changes anything.
Differing opinions on specific things?
(Note: many individual services are user dependent. These above are the ones [I think] I don't use. All is running good so far. You must read the description of each item and decide for yourself before disabling - and it's a good idea to know what to change it back to if you need to.)