Microsoft Windows (#4732)
The following settings can be applied to Windows systems to enhance the security of the system. Please note that some of these settings may be advanced and you should consult your IT support prior to making any of these changes.
Windows specific settings
- Enable Windows Firewall
Windows Firewall is enabled by default, but you should double check and ensure that it is enabled. In Windows Vista and above, you can find the Firewall settings under Control Panel > System and Security > Windows Firewall.
- Disable Guest Account
If not used, guest accounts should be disabled, as they provide means to access your computer and you cannot set a password on them. Guest accounts are typically disabled by default. To check whether if the guest account is disabled, you can access the account management tool by going to Control Panel > User Accounts > User Accounts > Manage User Accounts > Advanced tab > Advanced. Under the Local Users and Groups management tool, you can open the Users folder, and right click on the Guest account to ensure that the account is disabled.
- Enable Automatic Updates
By default, Windows Automatic Updates is turned on. You should verify and make sure that the automatic updates option is set to on and set to option "Download updates but let me choose whether to install them" or "Install updates automatically". For Windows Vista and above, to check for automatic update settings, go to Control Panel > System and Security > Windows update > Change settings
- Disable auto logon
While auto logon is convenient, it also allows an attacker with physical access to your computer to access any of your files without authentication. If you have automatic logon enabled, you should consider turning it off. To do so, access the user account management tool by going to Control Panel > User Accounts > User Accounts > Manage User Accounts, and check the "Users must enter a user name and password to use this computer" checkbox, and then click OK.
- Rename Administrator and Guest accounts
Renaming the administrator and guest accounts will reduce the likelihood for attackers to compromise these accounts. To change the names of these accounts, you can access the Local Users and Groups management tool under Control Panel > User Accounts > User Accounts > Manage User Accounts > Advanced tab > Advanced. Once there, go into the Users folder, right click on the administrator and / or guest account and choose rename.
- Use a password protected screensaver
A password protected screensaver will minimize the risk of unauthorized access to your computer when you are away, by automatically locking the computer following a period of inactivity. To enable this feature in Windows Vista or above, you can go to Control Panel > Appearance and Personalization > Change Screensaver (under Personalization) > check the "On resume, display logon screen" check box and set the desired inactivity time.
- Lock your computer (Windows + L) when you step away from your desk
In order to prevent tampering with your computer and data, you should always lock your computer when you step away from your desk. For Microsoft Windows, you can quickly lock your computer by pressing the "Windows logo" key in combination with the "L" key.
- Ensure passwords are applied to all accounts on the system
- Disable Unnecessary services
Services like Telnet, Alerter, and Remote Desktop are not always used. If a service is not used, you can turn it off in Windows.
- Disable Anonymous / Null sessions
In older versions of Windows, Anonymous / Null sessions can be used to browse remote computer files, and sometimes even used by attackers to gain access to Windows password databases. Newer versions of Windows have disabled this feature by default, but you should make sure that this feature is not re-enabled on your computer
- Enable auditing of system and security events
This article was updated: 05/03/2013