News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Hardening W7

    Posted on RMeijer Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 7 Questions: Windows 7 Hardening W7

    Viewing 7 reply threads
    • Author
      Posts
      • #2211948 Reply
        RMeijer
        AskWoody Plus

        For those who are less than enchanted in exchanging W10 for W7, there is what appears to be a good tool for “Hardening W7.  Let me know what you think.  Srr

        https://www.cyber.gov.au/sites/default/files/2019-03/Hardening_Win7_SP1.pdf

        5 users thanked author for this post.
      • #2212049 Reply
        Cybertooth
        AskWoody Plus

        This guide looks very comprehensive, thanks for telling us about it!

        I haven’t finished going through it (only on page 12 of 50), but we should note that some of the ideas suggested are not applicable to Windows 7 Home or Pro editions. As the Introduction says,

        This document provides guidance on hardening workstations using Enterprise and Ultimate editions of Microsoft Windows 7 SP1. Some Group Policy settings used in this document may not be available or compatible with Professional, Home Premium, Home Basic or Starter editions of Microsoft Windows 7 SP1.

        However, thus far I’ve learned about a number of things to maybe experiment with on my Windows 7 Home systems, including enabling Data Execution Prevention for all programs and services (and not just those offered by Microsoft) as discussed on page 11. Their description of how to get to that setting, though, isn’t very clear (“the Data Execution Prevention tab within the Performance Options of System Properties”). The path is

        Control Panel --> System Protection --> Advanced tab --> Performance section, Settings button --> Data Execution Prevention tab

        But all in all it looks like, for us Windows 7 diehards, I’ll be able to add a number of useful “new” security measures to the guide that’s listed in my signature.  🙂

        Nice find!

         

        • This reply was modified 2 months ago by Cybertooth.
        3 users thanked author for this post.
      • #2212080 Reply
        Alex5723
        AskWoody Plus

        There is also : Black Viper’s Windows 7 Service Pack 1 Service Configurations

        http://www.blackviper.com/service-configurations/black-vipers-windows-7-service-pack-1-service-configurations/

        3 users thanked author for this post.
      • #2212399 Reply
        anonymous
        Guest

        The hardening document describes the hardened settings in the language of the Group Policy Editor (the thing which IT Departments in organisations would use, so this make sense), but if you have a Home Premium (or lesser?) version of W7, then it will not have a Group Policy Editor (try typing “gpedit.msc” in the search box).

        It may be possible to achieve the same effect by adjusting the corresponding entry in the Registry using the Registry Editor which is present in W7 Home Premium (try typing “regedit.exe” in the search box).

        Note: Whenever mentioning the Registry Editor it is customary to advise only doing this if you know what you are doing, and to make a backup you can recover from if you make a mistake – so with this note, custom is respected.

        In order to “translate” from Group Policy jargon to corresponding Registry keys, Microsoft themselves provide the Group Policy Search website https://gpsearch.azurewebsites.net/  . I first became aware of this from reading a gHacks article a few years ago – see https://www.ghacks.net/2017/11/07/search-the-group-policy-with-microsofts-gpsearch-web-service/  . (Martin includes the GPSearch link about half way down the article.)

        I have used this once or twice in the past, but not recently, so to remind myself before writing these words, as a test case I used “Remote Assistance” – see page 35 of the Hardening document, because I know where the user control for this is located. I temporarily enabled “Remote Assistance” (Control Panel > System > Remote settings and ticked the “Allow…” tick box), in the hope that the new Group Policy if correctly implemented would override this user setting by unticking the remote assistance “Allow…” tick box again (and probably preventing further user adjustment).

        In GPSearch I searched for “remote assistance” in order to find the Registry keys corresponding to the GP settings on page 35. In the “Search Results” (bottom left – you may need to scroll down), the entries were 4th and 5th. Although the “explanation” is not completely clear I worked out that in the Registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ I needed to add 2 new DWORD entries “fAllowToGetHelp” dword with value 0 and “fAllowUnsolicited” dword with value 0, corresponding to the 2 Disabled settings at the top of page 35 of the Hardening document. After doing this I checked ‘Control Panel > System > Remote settings’ again and the “Allow…” tick box was now unticked and grayed out preventing a user changing the Group Policy setting. This is what I hoped would happen in the previous paragraph. (Deleting these newly added Registry keys restored user control via the Control Panel.)

        So based on this test case it is possible to make an attempt at (at least) some of the recommended hardenings even in the absence of a Group Policy Editor.

        However, even though it appears that things have changed (in the Control Panel GUI in this test case) will the underlying W7 Home Premium software which does not have a Group Policy Editor, actually take any notice of these Group Policy/Registry settings?

        HTH. Garbo.

         

        2 users thanked author for this post.
        • #2223320 Reply
          anonymous
          Guest

          Garbo continues post #2212399 above ….

          As an experiment I tried adding the 2 “remote assistance” policies directly to the Registry in a different W8.1 Pro PC. This appeared to work in that the ‘Control Panel > System > Remote settings’ Remote Assistance tick box was unticked and grayed out unable to be changed from the GUI.

          However, when I opened the Group Policy Editor (it is W8.1 Pro so has a GPE, unlike my W7 PC used above), the corresponding entries (as described on page 35 in the Hardening document) indicated that no Policy was set!

          So it appears as if the GPE GUI does not indicate Group Policies which actually exist (in the Registry and which may have been set up by other means such as the Registry Editor directly), but only indicates policies setup by the GPE itself (and presumably which are recorded somewhere else?). Another example of the Windows left hand not knowing what the Windows right hand has done.

          This means that creating a .reg file with a number of hardening policies which could be “merged” into the Registry of a mixture of Home Premium PCs (with no GPE) and Pro PCs (with GPEs) would be less effective, if the Pro PC GPEs does not indicate the policies which are setup by the .reg file. Oh well …

          HTH. Garbo.

           

          1 user thanked author for this post.
          • #2223331 Reply
            PKCano
            Da Boss

            When I was investigating the disappearing GUI pulldowns for Windows Update in Win10 Pro (1803, 1809 and into 1903/1909) I found that the equivalent settings for a function made in Group Policy and in the GUI were in different locations in the Registry. So setting deferrals in GP and with the GUI pulldowns were (could be) the same values, but in different locations.
            This was around the middle of 2019 (see this thread and a month or so on either side of this time frame).

            Given the availability of both GP and GUI settings (Pro or above), it seems that the settings in the Registry made by GP take precedence over the settings in the Registry made by GUI switches/buttons.

            This was in Win10, but I imagine it is similar in Win7/8.1 as well.

            3 users thanked author for this post.
          • #2223382 Reply
            anonymous
            Guest

            Garbo continues from #2223320 ….

            Using my “remote assistance” test case I’ve investigated further. There are 5 Registry keys containing the setting and policy when set by the Group Policy Editor (GPE) and I believe these are for 3 distinct things:

            1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Remote Assistance (although it might have been the ControlSet002 one) are the ‘Control Panel > System > Remote settings’ controls. (These are what PKCano means by the GUI settings – I think?)
            2. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services and (because it is a 64 bit W8.1 PC, not 32 bit) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Terminal Services which I believe are the actual policy settings which override the settings in 1. above. (These are what PKCano means by GP settings – I think?)
            3. HKEY_USERS\S-1-5-21-2373691261-3686543680-3317219873-1001\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{<magic number>} followed by something similar to 2 above. This is what I meant by GPE GUI setting.

            Now the important thing here is the <magic number> which appears to change everytime the GPE is started. Entries added manually by the Registry Editor to the key with the old magic number are not copied across to the new/renamed key with the new magic number when GPE next opens.

            I imagine that this is a security measure of some kind, but it does mean that the GPE GUI does not “see” the Registry Editor policy creation/changes even though they have been made to the keys in 2. above and even though these will probably override the normal Windows GUI settings in the keys in 1. above.

            The GPE GUI (my Windows left hand) does not know what the actual policy (my Windows right hand) really is.

            So I think the best approach having a mixture of PCs with and without GPE, is to make all hardening changes using GPE, use the GPSearch site to find the actual policy keys created by GPE (the 2. keys, not the 3. keys with the <magic number>), export to a .reg file and if necessary edit the .reg file to remove other sub-keys sharing the same key so that the .reg file just contains the essential parts, and finally merge this final .reg file into the Registry of PCs without a GPE.

            Or maybe now is the time to abandon Windows on my old 32 bit PC and finally install that lighweight Linux distribution (such as Xubuntu) which has always been just over the horizon 🙂

            HTH. Garbo.

             

      • #2212454 Reply
        anonymous
        Guest

        You can download gpedit from Winaero. It works on 7,8.1 and 10 Home.

        https://winaero.com/blog/enable-gpedit-msc-group-policy-in-windows-10-home/

        • #2212595 Reply
          anonymous
          Guest

          Reply to #2212454 – suspecting that this may not be placed in the correct place on the page based on other recent posts in other threads 🙂

          Thanks for this link. I downloaded the script and ran it (as administrator) on my old W7 Home Premium 32 bit test laptop. It ran to completion (after several stages) and on typing “gpedit.msc” in the Run box, the Group Policy Editor (GPE) started and looked as it does in Pro versions of Windows. So far, so good ….

          I then repeated my test case attempt to disable Remote Assistance (see my post #2212399 above) now using this GPE. In the GPE GUI all seemed to be working, the settings could be changed to Disabled. Closing and re-opening GPE the settings were still Disabled.

          However on checking the Registry using the Registry Editor, the keys which I manually added in #2212399 were not present. On opening ‘Control Panel > System > Remote settings’ the “Allow …” tick box was still ticked and could be adjusted and had not been overridden by the new group policy.

          In case the new group policy only became active on a start-up I re-started the PC. Again the settings were reported as Disabled in the GPE GUI, but these were not in place in the Registry or Control Panel GUI.

          So it seems as if the script does install/restore/activate the Group Policy Editor at least as far as its GUI, and its ability to change and remember settings for display purposes are concerned, but it does not adjust the Registry or make changes to the underlying Windoes software outside of the GPE itself.

          Maybe Microsoft have changed things since the script was created?

          BTW: I briefly looked at the “Policy Plus” 3rd party program mentioned on the Winaero page and by a below the line commenter on the gHacks page, but it appears as if this is still a work in progress and only includes options for setting some group policies, not all.

          Thanks anyway. Garbo.

           

          3 users thanked author for this post.
      • #2213675 Reply
        anonymous
        Guest

        This “Winaero” website link has reminded me of an idea I have had in the past to possibly “harden” (or “slim down”) W7 (or possibly other version of Windows).

        Back in the early days of W10 (in 2015 or 2016 or so), Sergey came up with some short scripts using the “uninstall_wim_tweak” tool to uninstall some parts of W10 which a user may not want. For example see https://winaero.com/blog/how-to-uninstall-and-remove-cortana-in-windows-10/  for details of the script to remove Cortana from early versions of W10. (As a counter-measure I believe Microsoft have since changed how Cortana is “packaged” in later versions of W10, so that this approach no longer works. Microsoft do not want users configuring their own PCs, in ways that Microsoft do not want!)

        Anyway this idea of using “install_wim_tweak” to remove Windows packages does still work for currently named packages (even though the words “Microsoft-Windows-Cortana” – see the script at the above link – are not (part of) the name of a current W10 package) and it works in W7 as well as in W10.

        This opens up the possibility of removing W7 “packages” which the PC user does not use, but which may be a security risk to the PC. For example “Remote Assistance” is a potential security risk (as a path for bad guys to get into a PC), so while it could be disabled as indicated in the Hardening document, would it be even more effective to remove the “Remote Assistance” software package completely using “install_wim_tweak”?

        As an experiment I have adapted the script at the above link, replacing “Microsoft-Windows-Cortana” with corresponding words for remote assistance and run this on my old W7 Home Premium 32 bit test laptop. The PC appears to work OK. The “remote assistance” controls in the Control Panel is now unticked and grayed out.

        This approach could be extended to other unused, but potential security risk packages to harden a home W7 PC e.g. remote desktop protocol (if the PC does not need it for “working from home”) or home group (if the PC is not on a local network, file sharing).

        I have resisted this idea in the past because I have worried that removing packages might cause problems on a subsequent “windows update”, if it attempted to update a package that had been removed, potentially leaving a incomplete package in place or breaking/stalling the “windows update” mechanism more widely. However now that W7 is no longer supported (if not following the ESU path), there will not be any further windows updates so this potential problem no longer exists.

        So, are there any other problems with removing Windows 7 (or other Windows versions) packages in this way to produced a “hardened” (or otherwise “slimmed down”) version of Windows?

        Any comments welcome 🙂

        Thanks. Garbo.

         

      • #2213714 Reply
        EP
        AskWoody_MVP

        you may want to someday upgrade your edition from Win7 Home premium to either Win7 Pro or Win7 Ultimate if you really want to use the “real” group policy editor options

      • #2213775 Reply
        PaulK
        AskWoody Lounger

        Can’t get there from here, Win 7 Home Premium.

        UpgradeNotAvail

        Attachments:
        • #2213791 Reply
          Susan Bradley
          AskWoody MVP

          If you have access to a Windows 7 key, you can enter that in and upgrade to Professional.

          There are still some Windows 7 pro keys online that appear to be valid and legit.  Be careful but I upgraded from Home to pro with the key process.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Hardening W7

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.