Windows 8 and 8.1 Forums

Windows 8.1 – What are Best-Practice security tweaks?

  1. #1

    Windows 8.1 – What are Best-Practice security tweaks?

    For example, back in the day with XP I was told it was wise to to go into your network adapters (both Ethernet & Wireless) and disable the NetBIOS and all IPv6 functions. It was also wise to go in and disable certain services you would never use – like Remote Desktop.

    Does anyone have a link to a solid/reputable Windows 8.1 “101 security tweak article – relative to a home machine with no corporate connectivity?


    ===========================My Straw Man Inventory (What I think I may know):

    - Confirm UEFI secure boot (precludes much of root kit malware)
    - Enable the Ctrl-Alt-Del login option - for boot; and also challenge when machine awakens (greatly reduce (preclude?) risk of hacked remote login)
    - Disable “Remote Assistance Connections to this Computer”, from System
    - Create a non-Administrator user account and use that day to day for web browsing and such. Only login as Administrator when you need to (like installing apps.)
    - Review Firewall settings. Delete all green “allow” rules for:
    - - F5.vpn.client,
    - - Juniper Networks Junos Pulse
    - - CheckPoint.VPN
    - - Proximity sharing over TCP
    - - Remote Assistance (like 12 entries)
    - - Basically everything except for “Core Networking”, and maybe Skype – FOR BOTH Inbound and Outbound rule sets.
    - - I also disabled all Outbound connections for the Domain Profile, and the Public Profile – leaving the Private Profile (my profile) active for Outbound, so I can send browser requests and such. That may be too much, but Defender updates seem to work. Not sure yet if I've stiff-armed certain truly-required Windows functions.
    - I assume disabling NetBIOS and IPv6 from both network adapters is no longer required for Windows 8.1 – but you know what they say about those who assume – so I did it anyway.
    - I also uncheck "File Share" item on each of the Eathernet and Wireless adapters - since I don't do that.
    I turned OFF all “Windows Features” except .NET & Powershell 2.0 – including these:

    - Internet Explorer 11 (I never use it. Firefox and Chrome only)
    - Media features (I use VLC & IrfanView)
    - Remote Differential Compression API Support
    - Print and Document Services (both nested: Internet Printing Client & Windows Fax and Scan)
    - SMB 1.0/CIFS File Sharing Support
    - Windows Location Provider
    - Work Folders Client
    - XPS Services
    - XPS Viewer
    Disable services (Winkey+R services.msc - NOT msconfig) - disable the following [the OEM state is listed for “roll-back” reference] (Black Viper is always the go-to guy for me for these things: » Black Viper?s Windows 8 Service Configurations) - minor variations are listed below (probably because I'm running 8.1 and his list if for 8)

    - Bluetooth support services (Manual (Trigger Start)) (I don't use on my desktop)
    - Certificate Propagation (Manual)
    - Distributed Link Tracking Client (Automatic)
    - Family Safety (Manual)
    - Hyper-V Data Exchange Service (Manual (Trigger Start))
    - Hyper-V Guest Service Interface (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
    - Hyper-V Guest Shutdown Service (Manual (Trigger Start))
    - Hyper-V Heartbeat Service (Manual (Trigger Start))
    - Hyper-V Remote Desktop Visualization Service (Manual (Trigger Start))
    - Hyper-V Time Synchronization Service (Manual (Trigger Start))
    - Hyper-V Volume Shadow Copy Requester (Manual (Trigger Start))
    - Microsoft iSCSI Initiator Service (Manual)
    - Netlogin (Manual)
    - Network Access Protection Agent (Manual)
    - Offline files (Manual (Trigger Start)) - Note: on his list - not in my services - maybe I already turned that off with Features?
    - Remote Access Auto Connection Manager (Manual) - Not disabled on his list? I did.
    - Remote Access Connection Manager (Manual) - Not disabled on his list? I did.
    - Remote Desktop Configuration (Manual) - Not disabled on his list? I did.
    - Remote Desktop Services (Manual) - Not disabled on his list? I did.
    - Remote Desktop Services UserMode Port Redirector (Manual) - Not disabled on his list? I did.
    - Remote Procedure Call (RPC) Locator
    - Secondary Logon (Manual) - Not disabled on his list? I did.
    - Sensor Monitoring Service (Manual (Trigger Start))
    - Smart Card Device Enumeration Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
    - Smart Card Removal Policy (Manual)
    - SNMP Trap (Manual)
    - Storage Services (Manual (Trigger Start)
    - Touch Keyboard and Handwriting Panel Service (Manual (Trigger Start)) - Not disabled on his list? I did.
    - Windows Biometric Service (Manual)
    - Windows Connect Now - Config Registrar (Manual)
    - Windows Encryption Provider Host Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
    - Windows Media Player Network Sharing Services (Manual) - Not disabled on his list? I did.
    - Windows Location Framework Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition?
    - Windows Remote Management (WS-Management) (Manual) - Not on Black Viper's list – 8.1 addition?


    Notes: (before any of the tweaks above)
    - All Windows updates – upgraded to 8.1 – then all Windows updates again. Do all that first.
    - Defender: On/Updated/Full-scan
    - I also run Malwarebytes. I'm waiting a bit for a good deal from Fry's or whatever to run in the full-time "Pro" mode.
    - I boot to desktop, not RT

    - I log into the Lenovo Tower with “local” account – not Don't know if that changes anything.

    Missing anything?

    Differing opinions on specific things?

    (Note: many individual services are user dependent. These above are the ones [I think] I don't use. All is running good so far. You must read the description of each item and decide for yourself before disabling - and it's a good idea to know what to change it back to if you need to.)

      My System SpecsSystem Spec

  2. #2

    Posts : 328
    Windows 8.1 (x64)


    Here are some links that have helped me harden my PC :

    Hardening Windows 7 Guide. Part 1 | Harden Windows 7 for Security
    Great guide in 4 parts, very detailed, applies mostly to win 8 too

    mechBgon's guide for first-time PC builders... Best practices for ongoing security
    Another great guide, maybe more accessible to regular users, be sure to check his page on SRP too

    Wilders Security Forums - Powered by vBulletin
    Great forums, a lot of information if you take the time to browse them

    A good site to check if your current software has any known vulnerabilities, you can also install their software to do it automatically for you

    NVD - Home
    The official US site, with some serious info about security

    Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained : ASD Australian Signals Directorate (formerly DSD)
    The same but from the australian goverment, most is easy to implement.

    Bullet Proof Windows
    An old blog, not recently updated, but all the info still applies
      My System SpecsSystem Spec

  3. #3

    Posts : 328
    Windows 8.1 (x64)

    About the uninstalled windows features...

    I did the same as you except I uninstalled powershell 2.0 (you can still use the regular powershell).
    While I do agree that uninstalling IE if you don't use it is a good policy, I think it's better to leave it and harden it. My take on this is that IE is deeply embedded in recent windows OSes and uninstalling it actually only hides it. For example File Explorer is still tied to IE and if you disable 3rd party plugins in internet options then you won't be able to use plugins in file explorer too (thinking of classic shell for ex).
    I also left XPS because it's mainly for MS documentation which I use (I don't see it supplanting PDF and becoming a vector for malicious exploits, I might be wrong).

    About the services, while putting a service in manual is the safest bet (it should start by itself when needed), I went disabled for most of them, which is more secure.

    Another good place to check, related to services and many autoruns is the Task Scheduler, it is highly used now in windows 7/8 (compared to win XP where I was fine disabling it). If you find 3rd party services that show up again even when disabled this is the place to check.
      My System SpecsSystem Spec

  4. #4

    Posts : 4,514
    Vista and Win7

    Best security protection are frequent images.
      My System SpecsSystem Spec

  5. #5

    Posts : 328
    Windows 8.1 (x64)

    You are right that frequent images is a very good habit. Hardening your PC just makes you less susceptible to malicious software/exploits and therefore you don't need to get a clean install as often.

    But if you only rely on images as security protection then you are totally open against anything that runs silently. Imagine for example that a keylogger installs, gets all your passwords (sites, banking, even your windows account password/id), and sends its on the net (bypassing your firewall) all of that without you noticing it or maybe too late...
      My System SpecsSystem Spec

  6. #6

    Posts : 4,514
    Vista and Win7

    That is a good point. Frequent scanning with good scanners helps with that.
      My System SpecsSystem Spec

  7. #7

    ...this is going to take me some time... Thanks for the links!

    You're on a roll. I'm told:
    "You must spread some Reputation around before giving it to oneeyed again."
      My System SpecsSystem Spec

  8. #8

    Posts : 1,875
    Windows 10 Pro Prieview x64

    Quote Originally Posted by Win8fait View Post
    ...this is going to take me some time... Thanks for the links!

    You're on a roll. I'm told:
    "You must spread some Reputation around before giving it to oneeyed again."
    me too
      My System SpecsSystem Spec

  9. #9

    Posts : 70
    windows 8.1

    you still have running server service that is not needed unless you are sharing this system resources. No need to run Computer browser and ssdp.
    "Uninstalling" IE just removes user part, not the engine so box is as sensitive to IE security issues as before. If you check history of security problems with IE, then you should notice that some of the bugs did not require running internet explorer.
      My System SpecsSystem Spec

  10. #10

    Sounds like a plan. I disabled [SSDP Discovery] and added that to my standard build list (above). Thank you!
      My System SpecsSystem Spec

Page 1 of 3 123 LastLast
Windows 8.1 – What are Best-Practice security tweaks?
Related Threads
Solved Performance Tweaks for Windows 8.(1) in Performance & Maintenance
Hello, Is there some good Registry Tweaks for better/faster performance? I Run Windows 8.1 64 bits - build 9600. I tried JV16 powertools. But is there some other tweaks for a faster responsive OS? Thanks!
Hi What is the 'best practice' for managing one's passwords? A) HOW SHOULD I STORE PASSWORDS? Problems: 1. I need to manage a fairly large number (i.e. 50+). So there are too many to remember. 2. Obviously I don't want to keep them inside a simple unencrypted text file, in case my data...
Hi, this is somethig i do not get, and relly do not like how it seems to work: what i would like to achieve is 1) in first instance: to update *all the system* at a time, so far what it seems to me now it's like i have to manage two operating systems one on the desktop side and one on... Read More: Windows 8.1 preview: many small tweaks make for a significant update | The Verge
story here: Windows 8 Apps Get Pre-Launch Tweaks - Software - Windows 8 -
Eight Forums Android App Eight Forums IOS App Follow us on Facebook