Windows 8.1 – What are Best-Practice security tweaks?

Win8fait

New Member
Member
Messages
102
Location
Santa Monica, CA
For example, back in the day with XP I was told it was wise to to go into your network adapters (both Ethernet & Wireless) and disable the NetBIOS and all IPv6 functions. It was also wise to go in and disable certain services you would never use – like Remote Desktop.

Does anyone have a link to a solid/reputable Windows 8.1 “101 security tweak article – relative to a home machine with no corporate connectivity?

Thanks!

===========================My Straw Man Inventory (What I think I may know):

- Confirm UEFI secure boot (precludes much of root kit malware)
- Enable the Ctrl-Alt-Del login option - for boot; and also challenge when machine awakens (greatly reduce (preclude?) risk of hacked remote login)
- Disable “Remote Assistance Connections to this Computer”, from System
- Create a non-Administrator user account and use that day to day for web browsing and such. Only login as Administrator when you need to (like installing apps.)
- Review Firewall settings. Delete all green “allow” rules for:
- - F5.vpn.client,
- - Juniper Networks Junos Pulse
- - CheckPoint.VPN
- - Proximity sharing over TCP
- - Remote Assistance (like 12 entries)
- - Basically everything except for “Core Networking”, and maybe Skype – FOR BOTH Inbound and Outbound rule sets.
- - I also disabled all Outbound connections for the Domain Profile, and the Public Profile – leaving the Private Profile (my profile) active for Outbound, so I can send browser requests and such. That may be too much, but Defender updates seem to work. Not sure yet if I've stiff-armed certain truly-required Windows functions.
- I assume disabling NetBIOS and IPv6 from both network adapters is no longer required for Windows 8.1 – but you know what they say about those who assume – so I did it anyway.
- I also uncheck "File Share" item on each of the Eathernet and Wireless adapters - since I don't do that.
----------
I turned OFF all “Windows Features” except .NET & Powershell 2.0 – including these:

- Internet Explorer 11 (I never use it. Firefox and Chrome only)
- Media features (I use VLC & IrfanView)
- Remote Differential Compression API Support
- Print and Document Services (both nested: Internet Printing Client & Windows Fax and Scan)
- SMB 1.0/CIFS File Sharing Support
- Windows Location Provider
- Work Folders Client
- XPS Services
- XPS Viewer
----------
Disable services (Winkey+R services.msc - NOT msconfig) - disable the following [the OEM state is listed for “roll-back” reference] (Black Viper is always the go-to guy for me for these things: » Black Viper?s Windows 8 Service Configurations) - minor variations are listed below (probably because I'm running 8.1 and his list if for 8)

- Bluetooth support services (Manual (Trigger Start)) (I don't use on my desktop)
- Certificate Propagation (Manual)
- Distributed Link Tracking Client (Automatic)
- Family Safety (Manual)
- Hyper-V Data Exchange Service (Manual (Trigger Start))
- Hyper-V Guest Service Interface (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Hyper-V Guest Shutdown Service (Manual (Trigger Start))
- Hyper-V Heartbeat Service (Manual (Trigger Start))
- Hyper-V Remote Desktop Visualization Service (Manual (Trigger Start))
- Hyper-V Time Synchronization Service (Manual (Trigger Start))
- Hyper-V Volume Shadow Copy Requester (Manual (Trigger Start))
- Microsoft iSCSI Initiator Service (Manual)
- Netlogin (Manual)
- Network Access Protection Agent (Manual)
- Offline files (Manual (Trigger Start)) - Note: on his list - not in my services - maybe I already turned that off with Features?
- Remote Access Auto Connection Manager (Manual) - Not disabled on his list? I did.
- Remote Access Connection Manager (Manual) - Not disabled on his list? I did.
- Remote Desktop Configuration (Manual) - Not disabled on his list? I did.
- Remote Desktop Services (Manual) - Not disabled on his list? I did.
- Remote Desktop Services UserMode Port Redirector (Manual) - Not disabled on his list? I did.
- Remote Procedure Call (RPC) Locator
- Secondary Logon (Manual) - Not disabled on his list? I did.
- Sensor Monitoring Service (Manual (Trigger Start))
- Smart Card Device Enumeration Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Smart Card Removal Policy (Manual)
- SNMP Trap (Manual)
- Storage Services (Manual (Trigger Start)
- Touch Keyboard and Handwriting Panel Service (Manual (Trigger Start)) - Not disabled on his list? I did.
- Windows Biometric Service (Manual)
- Windows Connect Now - Config Registrar (Manual)
- Windows Encryption Provider Host Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Windows Media Player Network Sharing Services (Manual) - Not disabled on his list? I did.
- Windows Location Framework Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
- Windows Remote Management (WS-Management) (Manual) - Not on Black Viper's list – 8.1 addition?


===========================End


Notes: (before any of the tweaks above)
- All Windows updates – upgraded to 8.1 – then all Windows updates again. Do all that first.
- Defender: On/Updated/Full-scan
- I also run Malwarebytes. I'm waiting a bit for a good deal from Fry's or whatever to run in the full-time "Pro" mode.
- I boot to desktop, not RT

- I log into the Lenovo Tower with “local” account – not me@windows-domain.com. Don't know if that changes anything.

Missing anything?

Differing opinions on specific things?


(Note: many individual services are user dependent. These above are the ones [I think] I don't use. All is running good so far. You must read the description of each item and decide for yourself before disabling - and it's a good idea to know what to change it back to if you need to.)

 

My Computer

System One

  • OS
    Win 8.1
    Computer type
    PC/Desktop
Nice.

Here are some links that have helped me harden my PC :

Hardening Windows 7 Guide. Part 1 | Harden Windows 7 for Security
Great guide in 4 parts, very detailed, applies mostly to win 8 too

mechBgon's guide for first-time PC builders... Best practices for ongoing security
Another great guide, maybe more accessible to regular users, be sure to check his page on SRP too

Wilders Security Forums - Powered by vBulletin
Great forums, a lot of information if you take the time to browse them

Secunia
A good site to check if your current software has any known vulnerabilities, you can also install their software to do it automatically for you

NVD - Home
The official US site, with some serious info about security

Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained : ASD Australian Signals Directorate (formerly DSD)
The same but from the australian goverment, most is easy to implement.

Bullet Proof Windows
An old blog, not recently updated, but all the info still applies
 

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
About the uninstalled windows features...

I did the same as you except I uninstalled powershell 2.0 (you can still use the regular powershell).
While I do agree that uninstalling IE if you don't use it is a good policy, I think it's better to leave it and harden it. My take on this is that IE is deeply embedded in recent windows OSes and uninstalling it actually only hides it. For example File Explorer is still tied to IE and if you disable 3rd party plugins in internet options then you won't be able to use plugins in file explorer too (thinking of classic shell for ex).
I also left XPS because it's mainly for MS documentation which I use (I don't see it supplanting PDF and becoming a vector for malicious exploits, I might be wrong).

About the services, while putting a service in manual is the safest bet (it should start by itself when needed), I went disabled for most of them, which is more secure.

Another good place to check, related to services and many autoruns is the Task Scheduler, it is highly used now in windows 7/8 (compared to win XP where I was fine disabling it). If you find 3rd party services that show up again even when disabled this is the place to check.
 

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
Best security protection are frequent images.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs
You are right that frequent images is a very good habit. Hardening your PC just makes you less susceptible to malicious software/exploits and therefore you don't need to get a clean install as often.

But if you only rely on images as security protection then you are totally open against anything that runs silently. Imagine for example that a keylogger installs, gets all your passwords (sites, banking, even your windows account password/id), and sends its on the net (bypassing your firewall) all of that without you noticing it or maybe too late...
 

My Computer

System One

  • OS
    Windows 8.1 (x64)
    Computer type
    PC/Desktop
That is a good point. Frequent scanning with good scanners helps with that.
 

My Computer

System One

  • OS
    Vista and Win7
    System Manufacturer/Model
    2xHP, 2xGateway, 1xDell, 1xSony
    Hard Drives
    5 SSDs and 12 HDs

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
you still have running server service that is not needed unless you are sharing this system resources. No need to run Computer browser and ssdp.
"Uninstalling" IE just removes user part, not the engine so box is as sensitive to IE security issues as before. If you check history of security problems with IE, then you should notice that some of the bugs did not require running internet explorer.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
Firefox Security Tweaks

1) Type about:config into the address bar > click "I'll be careful, I promise"
2) Type Security into search > double click the following..
  • security.enable_ssl3 Value = false
  • security.enable_tls Value = true
  • security.ssl.false_start.require-forward-secrecy Value = true
  • security.ssl3.dhe_dss_des_ede3_sha Value = false
  • security.ssl3.dhe_rsa_des_ede3_sha Value = false
  • security.ssl3.ecdh_ecdsa_des_ede3_sha Value = false
  • security.ssl3.ecdh_ecdsa_rc4_128_sha Value = false
  • security.ssl3.ecdh_rsa_des_ede3_sha Value = false
  • security.ssl3.ecdh_rsa_rc4_128_sha Value = false
  • security.ssl3.ecdhe_ecdsa_des_ede3_sha Value = false
  • security.ssl3.ecdhe_ecdsa_rc4_128_sha Value = false
  • security.ssl3.ecdhe_rsa_des_ede3_sha Value = false
  • security.ssl3.ecdhe_rsa_rc4_128_sha Value = false
  • security.ssl3.rsa_des_ede3_sha Value = false
  • security.ssl3.rsa_fips_des_ede3_sha Value = false
  • security.ssl3.rsa_rc4_128_md5 Value = false
  • security.ssl3.rsa_rc4_128_sha Value = false
  • security.ssl3.rsa_seed_sha Value = false

These settings will force secure connections to use stronger encryption for added security. :D
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise

My Computer

System One

  • OS
    Win 8.1
    Computer type
    PC/Desktop
force-tls, noredirect, refcontrol, requestpolicy,

Have you disabled
Server service
Computer Browser Service

if you can get good results here
IP check

and if you are not leaking DNS info here (even with VPN connection)
https://www.dns-oarc.net/oarc/services/dnsentropy

then probably you are fine in terms of browser security. Ulimately you system should be also usable, not only secured to the point of breaking everything.
Win 8.1 is my first Microsoft OS since XP (and even then I was using it only as secondary OS), but with XP I could make system partition read-only for users so never had to install anti-virus or anti-malware. I doubt that this would be possible with windows 8.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
But I use HTTPS Everywhere. I wonder how much of the above is already taken care of with their Extension.

HTTPS Everywhere works exactly like the hosts file. It only redirects a web address to the secure version, it has no effect on the encryption chosen. :D
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise
I could make system partition read-only for users so never had to install anti-virus or anti-malware..
Really? Do you mean you made the C:/Windows directory read only? Or all of it including users directories, ProgramData etc? And it worked? It is not the only Windows directory that viruses and malware attack of course.

I doubt that this would be possible with windows 8.
I agree. I doubt it would be possible with XP. Or any OS at all unless you are thinking of some kind of live CD. Your users could not update the registry for the current user for example or did you somehow move it to another partition? At the very least they would need read/execute for OS programs. Read only simply would not work.

Nice links though although Tor beats JonDonym if you are really worried about that sort of thing IMO :)
 

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
You are correct this was not read-only setup, rather unix like approach.
unix user can read or execute program but not write or modify and in some instances even list directory content. That is what I did with XP. User had read-only access to allowed folders and execute rights to exe files but write or modify attributes set to deny. The real problem was with registry to fix that I used regmon from sysinternals.

Not sure at what Tor beats Jon Donym but Tor does not have an way of testing browser so for this specific purpose JonDonym beats Tor.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
@Michal – I disabled my [Server] service, but do not have a [Computer Browser] service. Perhaps disabling IE took that away.

force-tls, noredirect, refcontrol, requestpolicy – wow, so adding/running all of these add-ons at the same time (along with HTTPS-everywhre & NoScripts)... The idea seems sound to me of disabling OEM functions, but ADDING scripts and whatnot to a browser from others... are all of those “open source” and more or less verified? (I'm an idiot – I apologize in advance.)

This is an experimental machine anyway. Zero banking/finance/etc. I'm all-in to try this stuff. But I'm taking off in a few hours for a huge trip. Will have to reply/recon all this in a few weeks.


@ectech – I'm going to run every one of those Firefox security tweaks too, when I get back!

Thank you both for contributing!
 

My Computer

System One

  • OS
    Win 8.1
    Computer type
    PC/Desktop
Computer Browser service is needed for browsing/announcing workgroups and domains so you can see shared resources. It has nothing to do with Internet Explorer.

Computer Browser Service is gone from your services list because you had to disable Client for Microsoft Networks.

As I mentioned though you did not remove IE from your computer, you just disabled IE accessibility for the user.


Browser add-ons that I listed are verified by Mozilla, these are as trustworthy as HTTPS-everywhere - which on the other hand - is not verified by Mozilla, source code can be stolen from developer and modified to the whishes of bad guys. Bigger names (and more trustworthy) got servers broken. So all is up to you whom do you trust.
I use all of these including HTTPS-everywhere. Never had any problems with banking, stolen credit cards info or any of important personal information.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET

My Computer

System One

  • OS
    Windows 10 Pro Prieview x64
    Computer type
    Laptop
    System Manufacturer/Model
    MacBook Pro Core2Duo
    CPU
    T7600
    Memory
    3
    Graphics Card(s)
    ATI Radeon X1600
    Monitor(s) Displays
    Internal
    Screen Resolution
    1440 x 800
    Hard Drives
    40GB
    Keyboard
    Apple
    Mouse
    Apple
    Internet Speed
    Varies
    Browser
    Various
    Antivirus
    Defender
of course, good firewall is important. Remember though that good bad software can get easily around it by using legitimate traffic. There is a lot of information about this issue on the net.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
Back
Top