Windows 8.1 – What are Best-Practice security tweaks?

[adamf]

I was asking not saying mate. Your IPcheck link got me worried (slightly - I need to check it properly).

The OP was concerned about best practice for security. I'm not sure if privacy and security are the same thing. Please tell me if I'm going of on a tangent but I am quite interested in both.

There is a lot of information about this issue on the net.

Can you give a link as I'm now worried I've missed something here. Is the fact you know my name (adam), my address (France) and the IP my ISP gives me (whatever, no point posting it) sufficient for you (or another) to somehow do something I'd rather you didn't.


Yikes.

 

[Michal]

Well, I am not expert not pretend to be. For me security and privacy are to the extend quite related: whatever trace I leave it would be easier to get to my system.
I don't think that you can get completely stealth and at the same time use internet efficiently, but you can make it more difficult to identify your OS and in effect what weaknesses it may exploitable.
I fixed DNS leak and firefox setup that I use gives good results on IP Check site with the exception of HTTP session. This can be fixed only Jon Donym or in part with Tor browser. At least I did not find a way around this issue without Tor or Jon Donym

 

[TairikuOkami]

I have also deleted some Windows startup tasks from Task Scheduler, most people even do not know about it.
They start processes like taskhost.exe and taskhostex.exe , mostly related to customer experience reporting.
I deleted them, because when disabled, they re-enable them self. But you might want to disable at first.

[TABLE]
[TR]
[TD="align: left"][SIZE=2][FONT=arial]\Microsoft\Windows\AppID - SmartScreenSpecific
\Microsoft\Windows\Application Experience - AitAgent / ProgramDataUpdater / StartupAppTask
\Microsoft\Windows\Autochk - Proxy
\Microsoft\Windows\Customer Experience Improvement Program - BthSQM / Consolidator / KernelCeipTask / Uploader / UsbCeip
\Microsoft\Windows\Defrag - ScheduledDefrag
\Microsoft\Windows\DiskDiagnostic - Microsoft-Windows-DiskDiagnosticDataCollector
\Microsoft\Windows\File Classification Infrastructure - Property Definition Sync
\Microsoft\Windows\IME - SQM data sender
\Microsoft\Windows\MobilePC - HotStart
\Microsoft\Windows\Maintenance - WinSAT
\Microsoft\Windows\Multimedia - SystemSoundsService
\Microsoft\Windows\NetCfg - BindingWorkItemQueueHandler
\Microsoft\Windows\Offline Files - Background Synchronization
\Microsoft\Windows\PerfTrack - BackgroundConfigSurveyor
\Microsoft\Windows\PI - Sqm-Tasks
\Microsoft\Windows\RAC - RacTask
\Microsoft\Windows\SettingSync - BackupTask / NetworkStateChangeTask
\Microsoft\Windows\Shell - FamilySafetyRefresh
\Microsoft\Windows\SkyDrive - Idle / Sync Maintenance Task / Routine Maintenance Task
\Microsoft\Windows\TextServicesFramework - MsCtfMonitor
\Microsoft\Windows\TPM - Tpm-Maintenance
\Microsoft\Windows\User Profile Service - HiveUploadTask
\Microsoft\Windows\WDI - ResolutionHost (Disable)
\Microsoft\Windows\Windows Error Reporting - QueueReporting
\Microsoft\Windows\WindowsBackup - ConfigNotification
\Microsoft\Windows\Wininet - CacheTask
\Microsoft\Windows\WS - Badge Update License / License Validation / ValidationWSRefreshBannedAppsListTask / WSTask[/FONT][/SIZE][/TD]
[/TR]
[/TABLE]

 

[Unclejesse]

This AWESOME...

For example, back in the day with XP I was told it was wise to to go into your network adapters (both Ethernet & Wireless) and disable the NetBIOS and all IPv6 functions. It was also wise to go in and disable certain services you would never use – like Remote Desktop. Does anyone have a link to a solid/reputable Windows 8.1 “101 security tweak article – relative to a home machine with no corporate connectivity? Thanks! ===========================My Straw Man Inventory (What I think I may know): - Confirm UEFI secure boot (precludes much of root kit malware) - Enable the Ctrl-Alt-Del login option - for boot; and also challenge when machine awakens (greatly reduce (preclude?) risk of hacked remote login) - Disable “Remote Assistance Connections to this Computer”, from System - Create a non-Administrator user account and use that day to day for web browsing and such. Only login as Administrator when you need to (like installing apps.) - Review Firewall settings. Delete all green “allow” rules for: - - F5.vpn.client, - - Juniper Networks Junos Pulse - - CheckPoint.VPN - - Proximity sharing over TCP - - Remote Assistance (like 12 entries) - - Basically everything except for “Core Networking”, and maybe Skype – FOR BOTH Inbound and Outbound rule sets. - - I also disabled all Outbound connections for the Domain Profile, and the Public Profile – leaving the Private Profile (my profile) active for Outbound, so I can send browser requests and such. That may be too much, but Defender updates seem to work. Not sure yet if I've stiff-armed certain truly-required Windows functions. - I assume disabling NetBIOS and IPv6 from both network adapters is no longer required for Windows 8.1 – but you know what they say about those who assume – so I did it anyway.- I also uncheck "File Share" item on each of the Eathernet and Wireless adapters - since I don't do that. ----------I turned OFF all “Windows Features” except .NET & Powershell 2.0 – including these: - Internet Explorer 11 (I never use it. Firefox and Chrome only) - Media features (I use VLC & IrfanView) - Remote Differential Compression API Support - Print and Document Services (both nested: Internet Printing Client & Windows Fax and Scan) - SMB 1.0/CIFS File Sharing Support - Windows Location Provider - Work Folders Client - XPS Services - XPS Viewer ----------Disable services (Winkey+R services.msc - NOT msconfig) - disable the following [the OEM state is listed for “roll-back” reference] (Black Viper is always the go-to guy for me for these things: » Black Viper?s Windows 8 Service Configurations) - minor variations are listed below (probably because I'm running 8.1 and his list if for 8) - Bluetooth support services (Manual (Trigger Start)) (I don't use on my desktop) - Certificate Propagation (Manual) - Distributed Link Tracking Client (Automatic) - Family Safety (Manual) - Hyper-V Data Exchange Service (Manual (Trigger Start)) - Hyper-V Guest Service Interface (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition? - Hyper-V Guest Shutdown Service (Manual (Trigger Start)) - Hyper-V Heartbeat Service (Manual (Trigger Start)) - Hyper-V Remote Desktop Visualization Service (Manual (Trigger Start)) - Hyper-V Time Synchronization Service (Manual (Trigger Start)) - Hyper-V Volume Shadow Copy Requester (Manual (Trigger Start)) - Microsoft iSCSI Initiator Service (Manual) - Netlogin (Manual) - Network Access Protection Agent (Manual) - Offline files (Manual (Trigger Start)) - Note: on his list - not in my services - maybe I already turned that off with Features? - Remote Access Auto Connection Manager (Manual) - Not disabled on his list? I did. - Remote Access Connection Manager (Manual) - Not disabled on his list? I did. - Remote Desktop Configuration (Manual) - Not disabled on his list? I did. - Remote Desktop Services (Manual) - Not disabled on his list? I did. - Remote Desktop Services UserMode Port Redirector (Manual) - Not disabled on his list? I did. - Remote Procedure Call (RPC) Locator - Secondary Logon (Manual) - Not disabled on his list? I did. - Sensor Monitoring Service (Manual (Trigger Start)) - Smart Card Device Enumeration Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition? - Smart Card Removal Policy (Manual) - SNMP Trap (Manual) - Storage Services (Manual (Trigger Start) - Touch Keyboard and Handwriting Panel Service (Manual (Trigger Start)) - Not disabled on his list? I did. - Windows Biometric Service (Manual) - Windows Connect Now - Config Registrar (Manual) - Windows Encryption Provider Host Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition? - Windows Media Player Network Sharing Services (Manual) - Not disabled on his list? I did. - Windows Location Framework Service (Manual (Trigger Start)) - Not on Black Viper's list – 8.1 addition? - Windows Remote Management (WS-Management) (Manual) - Not on Black Viper's list – 8.1 addition? ===========================End Notes: (before any of the tweaks above) - All Windows updates – upgraded to 8.1 – then all Windows updates again. Do all that first. - Defender: On/Updated/Full-scan - I also run Malwarebytes. I'm waiting a bit for a good deal from Fry's or whatever to run in the full-time "Pro" mode.- I boot to desktop, not RT - I log into the Lenovo Tower with “local” account – not me@windows-domain.com. Don't know if that changes anything.Missing anything?Differing opinions on specific things?(Note: many individual services are user dependent. These above are the ones [I think] I don't use. All is running good so far. You must read the description of each item and decide for yourself before disabling - and it's a good idea to know what to change it back to if you need to.)

Thank you thank you, I have been looking for something like this for weeks to no avail, I cannot wait to implement this checklist, you rock, gracias...

 

[Unclejesse]

stupid question, but what do you mean by images?

Best security protection are frequent images.

Could you be more specific I am a newbington...

 

[TairikuOkami]

He is talking about backing up the whole system like with Acronis True Image 2014
The problem is, that it backups everything, including some hidden viruses as well.

 

[Odos270]

Wow, I failed that IP Check with flying colors! :huh:

 

[Chrysalis]

Sadly parts of windows have been designed in a insecure manner and are tough to harden.

An example is the rundll wrapper, anything can hide behind this so if you allow it outbound port 80 which some legit apps request for (but I havent granted), then any rogue software using the same wrapper would get the same access, similar story with svchost. The original intention was probably simplification, but simplifying security is not always a good idea.

I was running applocker on win7 ultimate, great built in security tool, for whatever reason microsoft decided its more important to prevent business users using consumer windows (by disabling it) than to secure their home versions of the OS, so as such win 8.1 pro has no working applocker. The substitute is SRP which is no longer maintained and from my experience most definitely inferior, with that said using SRP is for sure better than no SRP or applocker. But its difficult to get it work properly with dll enforcement due to what I think is some bugs.

Alot of problems as well are down to shoddy design by app vendors, I have 2 examples from mainstream software, blizzard's battle.net and google's chrome. Even a security app hitman pro uses the same insecure system which is what?
The system I am talking about where apps will create temporary new executables to run tasks, in all 3 of the above examples they will create new executables for updates, I dont know why they cannot function with a permanent updater, and have to create a new one for each release but they do, in addition hitman pro will generate a new exe in %temp% when you ask it to run a scan. I did report this to the hitman pro dev asking them to make the temp folder they use configurable to fix the security mess, they seemed accepting to the idea but nothing has been done. There is also vendors guilty of having executable code using programdata (which shouldnt be used for that purpose) as well as %userprofile%, you guessed it chrome guilty again, battle.net also uses programdata. This is all important as a good SRP policy is to prevent execution from those locations but because of these issues whitelists have to be generated, made worse by the fact they keep creating new binaries. Also of course a hassle for a firewall config which filters apps allowed to generate internet traffic.

So recommended practices such as whitelisting APPS allowed to use internet, locking down executable folders to read only folders, and also locking down service creation for the same restrictions is made very difficult by these vendors. As well as microsoft not allowing consumers to use AppLocker. A decent Applocker config will beat the vast majority of anything that third party software can do, your system will be practically immune to malware, only vulnerable via human error or a Applocker exploit itself.