I’m in the process of hardening and optimising a Windows 7 build at present. Did you know it has 150+ services now? Windows is officially big.
If you’re interested in this undertaking, I can recommend the Black Viper resource. There are a considerable number of services that can be disabled for most users. That said, you should not take the advice in this or other hardening links at face value. If the recommendations or documentation on the service is insufficient to make your decision, either leave it be or research it further (or both). This is the best opportunity you’ll get to fill any gaps in your knowledge.
Once you think you’ve got it licked, always test, pilot and refine an image. It’s also worth creating a log of your decisions for each service from the start, both as a knowledge base and for tracking changes and differences from default builds. The process of documenting your choice will force you to think it through and will give the question the gravity it deserves. There’s no question this is a laborious undertaking, but it’s a valuable exercise and should yield a build that you’ll be happy with for some time.
I just assumed a web site called harden windows 7 services would tell me how or at least help me harden windows 7 services… silly me.
Hi Jeff,
This post is really just a pointer to the Black Viper stuff, as that’s such a good resource. It sounds like you want a more general overview of how to do it? You basically need to read about each of these services, gain a decent understanding of them, identify which might be unnecessary in your environment (it differs for everyone based on the hardware and software that you use), then try to turn those services off and test for any issues that they might cause, check event logs for warnings/errors, etc. Then pilot, amend, re-test, etc. Then you should have a default hardening profile (which will need to be updated for some workloads/hardware/users) and it may at some point complicate troubleshooting, especially if the people doing the troubleshooting are unfamiliar with what’s been hardened. And if you’re going to go this far you might want to look more closely at Group Policies for security in more detail and look at some of the things that the Windows Security Configuration Wizard recommends for hardening on servers, as this is a great guide.
Hope that helps. This is one of my earliest blog posts. At the time it was more customary to share links with blogs than it is now that social networks are so commonly used, and this Black Viper link was one of the first resources to talk authoritatively to the new Windows 7 services, very soon after Windows 7 launched – to provide a bit of context.
Cheers,
Tristan