Hardening W7

Topic

New Reply

For those who are less than enchanted in exchanging W10 for W7, there is what appears to be a good tool for “Hardening W7.  Let me know what you think.  Srr

https://www.cyber.gov.au/sites/default/files/2019-03/Hardening_Win7_SP1.pdf

5 users thanked author for this post.

Chessie, jburk07, SueW, Cybertooth, satrow

Reply | Quote

Replies

[Cybertooth]

This guide looks very comprehensive, thanks for telling us about it!

I haven’t finished going through it (only on page 12 of 50), but we should note that some of the ideas suggested are not applicable to Windows 7 Home or Pro editions. As the Introduction says,

This document provides guidance on hardening workstations using Enterprise and Ultimate editions of Microsoft Windows 7 SP1. Some Group Policy settings used in this document may not be available or compatible with Professional, Home Premium, Home Basic or Starter editions of Microsoft Windows 7 SP1.

However, thus far I’ve learned about a number of things to maybe experiment with on my Windows 7 Home systems, including enabling Data Execution Prevention for all programs and services (and not just those offered by Microsoft) as discussed on page 11. Their description of how to get to that setting, though, isn’t very clear (“the Data Execution Prevention tab within the Performance Options of System Properties”). The path is

Control Panel --> System Protection --> Advanced tab --> Performance section, Settings button --> Data Execution Prevention tab

But all in all it looks like, for us Windows 7 diehards, I’ll be able to add a number of useful “new” security measures to the guide that’s listed in my signature.  🙂

Nice find!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

• This reply was modified 5 years ago by Cybertooth.

3 users thanked author for this post.

Chessie, jburk07, SueW

Reply | Quote

There is also : Black Viper’s Windows 7 Service Pack 1 Service Configurations

http://www.blackviper.com/service-configurations/black-vipers-windows-7-service-pack-1-service-configurations/

3 users thanked author for this post.

jburk07, Elly, SueW

Reply | Quote

The hardening document describes the hardened settings in the language of the Group Policy Editor (the thing which IT Departments in organisations would use, so this make sense), but if you have a Home Premium (or lesser?) version of W7, then it will not have a Group Policy Editor (try typing “gpedit.msc” in the search box).

It may be possible to achieve the same effect by adjusting the corresponding entry in the Registry using the Registry Editor which is present in W7 Home Premium (try typing “regedit.exe” in the search box).

Note: Whenever mentioning the Registry Editor it is customary to advise only doing this if you know what you are doing, and to make a backup you can recover from if you make a mistake – so with this note, custom is respected.

In order to “translate” from Group Policy jargon to corresponding Registry keys, Microsoft themselves provide the Group Policy Search website https://gpsearch.azurewebsites.net/  . I first became aware of this from reading a gHacks article a few years ago – see https://www.ghacks.net/2017/11/07/search-the-group-policy-with-microsofts-gpsearch-web-service/  . (Martin includes the GPSearch link about half way down the article.)

I have used this once or twice in the past, but not recently, so to remind myself before writing these words, as a test case I used “Remote Assistance” – see page 35 of the Hardening document, because I know where the user control for this is located. I temporarily enabled “Remote Assistance” (Control Panel > System > Remote settings and ticked the “Allow…” tick box), in the hope that the new Group Policy if correctly implemented would override this user setting by unticking the remote assistance “Allow…” tick box again (and probably preventing further user adjustment).

In GPSearch I searched for “remote assistance” in order to find the Registry keys corresponding to the GP settings on page 35. In the “Search Results” (bottom left – you may need to scroll down), the entries were 4th and 5th. Although the “explanation” is not completely clear I worked out that in the Registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ I needed to add 2 new DWORD entries “fAllowToGetHelp” dword with value 0 and “fAllowUnsolicited” dword with value 0, corresponding to the 2 Disabled settings at the top of page 35 of the Hardening document. After doing this I checked ‘Control Panel > System > Remote settings’ again and the “Allow…” tick box was now unticked and grayed out preventing a user changing the Group Policy setting. This is what I hoped would happen in the previous paragraph. (Deleting these newly added Registry keys restored user control via the Control Panel.)

So based on this test case it is possible to make an attempt at (at least) some of the recommended hardenings even in the absence of a Group Policy Editor.

However, even though it appears that things have changed (in the Control Panel GUI in this test case) will the underlying W7 Home Premium software which does not have a Group Policy Editor, actually take any notice of these Group Policy/Registry settings?

HTH. Garbo.

 

2 users thanked author for this post.

jburk07, Cybertooth

Reply | Quote

Garbo continues post #2212399 above ….

As an experiment I tried adding the 2 “remote assistance” policies directly to the Registry in a different W8.1 Pro PC. This appeared to work in that the ‘Control Panel > System > Remote settings’ Remote Assistance tick box was unticked and grayed out unable to be changed from the GUI.

However, when I opened the Group Policy Editor (it is W8.1 Pro so has a GPE, unlike my W7 PC used above), the corresponding entries (as described on page 35 in the Hardening document) indicated that no Policy was set!

So it appears as if the GPE GUI does not indicate Group Policies which actually exist (in the Registry and which may have been set up by other means such as the Registry Editor directly), but only indicates policies setup by the GPE itself (and presumably which are recorded somewhere else?). Another example of the Windows left hand not knowing what the Windows right hand has done.

This means that creating a .reg file with a number of hardening policies which could be “merged” into the Registry of a mixture of Home Premium PCs (with no GPE) and Pro PCs (with GPEs) would be less effective, if the Pro PC GPEs does not indicate the policies which are setup by the .reg file. Oh well …

HTH. Garbo.

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

When I was investigating the disappearing GUI pulldowns for Windows Update in Win10 Pro (1803, 1809 and into 1903/1909) I found that the equivalent settings for a function made in Group Policy and in the GUI were in different locations in the Registry. So setting deferrals in GP and with the GUI pulldowns were (could be) the same values, but in different locations.
This was around the middle of 2019 (see this thread and a month or so on either side of this time frame).

Given the availability of both GP and GUI settings (Pro or above), it seems that the settings in the Registry made by GP take precedence over the settings in the Registry made by GUI switches/buttons.

This was in Win10, but I imagine it is similar in Win7/8.1 as well.

3 users thanked author for this post.

Elly, Cybertooth, jburk07

Reply | Quote

Garbo continues from #2223320 ….

Using my “remote assistance” test case I’ve investigated further. There are 5 Registry keys containing the setting and policy when set by the Group Policy Editor (GPE) and I believe these are for 3 distinct things:

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Remote Assistance (although it might have been the ControlSet002 one) are the ‘Control Panel > System > Remote settings’ controls. (These are what PKCano means by the GUI settings – I think?)
2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services and (because it is a 64 bit W8.1 PC, not 32 bit) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services which I believe are the actual policy settings which override the settings in 1. above. (These are what PKCano means by GP settings – I think?)
3. HKEY_USERS\S-1-5-21-2373691261-3686543680-3317219873-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{<magic number>} followed by something similar to 2 above. This is what I meant by GPE GUI setting.

Now the important thing here is the <magic number> which appears to change everytime the GPE is started. Entries added manually by the Registry Editor to the key with the old magic number are not copied across to the new/renamed key with the new magic number when GPE next opens.

I imagine that this is a security measure of some kind, but it does mean that the GPE GUI does not “see” the Registry Editor policy creation/changes even though they have been made to the keys in 2. above and even though these will probably override the normal Windows GUI settings in the keys in 1. above.

The GPE GUI (my Windows left hand) does not know what the actual policy (my Windows right hand) really is.

So I think the best approach having a mixture of PCs with and without GPE, is to make all hardening changes using GPE, use the GPSearch site to find the actual policy keys created by GPE (the 2. keys, not the 3. keys with the <magic number>), export to a .reg file and if necessary edit the .reg file to remove other sub-keys sharing the same key so that the .reg file just contains the essential parts, and finally merge this final .reg file into the Registry of PCs without a GPE.

Or maybe now is the time to abandon Windows on my old 32 bit PC and finally install that lighweight Linux distribution (such as Xubuntu) which has always been just over the horizon 🙂

HTH. Garbo.

 

Reply | Quote

You can download gpedit from Winaero. It works on 7,8.1 and 10 Home.

https://winaero.com/blog/enable-gpedit-msc-group-policy-in-windows-10-home/

Reply | Quote

Reply to #2212454 – suspecting that this may not be placed in the correct place on the page based on other recent posts in other threads 🙂

Thanks for this link. I downloaded the script and ran it (as administrator) on my old W7 Home Premium 32 bit test laptop. It ran to completion (after several stages) and on typing “gpedit.msc” in the Run box, the Group Policy Editor (GPE) started and looked as it does in Pro versions of Windows. So far, so good ….

I then repeated my test case attempt to disable Remote Assistance (see my post #2212399 above) now using this GPE. In the GPE GUI all seemed to be working, the settings could be changed to Disabled. Closing and re-opening GPE the settings were still Disabled.

However on checking the Registry using the Registry Editor, the keys which I manually added in #2212399 were not present. On opening ‘Control Panel > System > Remote settings’ the “Allow …” tick box was still ticked and could be adjusted and had not been overridden by the new group policy.

In case the new group policy only became active on a start-up I re-started the PC. Again the settings were reported as Disabled in the GPE GUI, but these were not in place in the Registry or Control Panel GUI.

So it seems as if the script does install/restore/activate the Group Policy Editor at least as far as its GUI, and its ability to change and remember settings for display purposes are concerned, but it does not adjust the Registry or make changes to the underlying Windoes software outside of the GPE itself.

Maybe Microsoft have changed things since the script was created?

BTW: I briefly looked at the “Policy Plus” 3rd party program mentioned on the Winaero page and by a below the line commenter on the gHacks page, but it appears as if this is still a work in progress and only includes options for setting some group policies, not all.

Thanks anyway. Garbo.

 

3 users thanked author for this post.

Elly, Cybertooth, jburk07

Reply | Quote

This “Winaero” website link has reminded me of an idea I have had in the past to possibly “harden” (or “slim down”) W7 (or possibly other version of Windows).

Back in the early days of W10 (in 2015 or 2016 or so), Sergey came up with some short scripts using the “uninstall_wim_tweak” tool to uninstall some parts of W10 which a user may not want. For example see https://winaero.com/blog/how-to-uninstall-and-remove-cortana-in-windows-10/  for details of the script to remove Cortana from early versions of W10. (As a counter-measure I believe Microsoft have since changed how Cortana is “packaged” in later versions of W10, so that this approach no longer works. Microsoft do not want users configuring their own PCs, in ways that Microsoft do not want!)

Anyway this idea of using “install_wim_tweak” to remove Windows packages does still work for currently named packages (even though the words “Microsoft-Windows-Cortana” – see the script at the above link – are not (part of) the name of a current W10 package) and it works in W7 as well as in W10.

This opens up the possibility of removing W7 “packages” which the PC user does not use, but which may be a security risk to the PC. For example “Remote Assistance” is a potential security risk (as a path for bad guys to get into a PC), so while it could be disabled as indicated in the Hardening document, would it be even more effective to remove the “Remote Assistance” software package completely using “install_wim_tweak”?

As an experiment I have adapted the script at the above link, replacing “Microsoft-Windows-Cortana” with corresponding words for remote assistance and run this on my old W7 Home Premium 32 bit test laptop. The PC appears to work OK. The “remote assistance” controls in the Control Panel is now unticked and grayed out.

This approach could be extended to other unused, but potential security risk packages to harden a home W7 PC e.g. remote desktop protocol (if the PC does not need it for “working from home”) or home group (if the PC is not on a local network, file sharing).

I have resisted this idea in the past because I have worried that removing packages might cause problems on a subsequent “windows update”, if it attempted to update a package that had been removed, potentially leaving a incomplete package in place or breaking/stalling the “windows update” mechanism more widely. However now that W7 is no longer supported (if not following the ESU path), there will not be any further windows updates so this potential problem no longer exists.

So, are there any other problems with removing Windows 7 (or other Windows versions) packages in this way to produced a “hardened” (or otherwise “slimmed down”) version of Windows?

Any comments welcome 🙂

Thanks. Garbo.

 

Reply | Quote

Since remote desktop protocol uses port 3389, you can create a Windows Firewall rule blocking access to port 3389 as an added precaution. https://www.thewindowsclub.com/block-open-port-windows-8-firewall This process is the same on 7,8 and10.Also, are you aware of abbodi86 script. I tried it and it works. Thanks abbodi86! https://www.askwoody.com/forums/topic/standalone-installer-script-for-windows-7-esu-regardless-the-license/ Since you mentioned Sergey, thanks to him also for Winaero Tweaker, which for me has made Windows 10 enjoyable. https://winaero.com/comment.php?comment.news.1836

Reply | Quote

you may want to someday upgrade your edition from Win7 Home premium to either Win7 Pro or Win7 Ultimate if you really want to use the “real” group policy editor options

Reply | Quote

Can’t get there from here, Win 7 Home Premium.

Reply | Quote

If you have access to a Windows 7 key, you can enter that in and upgrade to Professional.

There are still some Windows 7 pro keys online that appear to be valid and legit.  Be careful but I upgraded from Home to pro with the key process.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Elly

Reply | Quote