ASD: Here's how you harden Windows 7 machines after Microsoft's cut-off

The Australian Signals Directorate’s Australian Cybersecurity Security Centre (ACSC) has published a new paper explaining why and how admins can harden Windows 7 PCs against cyber attacks.

Windows 7 and Windows Server 2008 of course reached end-of-life (EOL) on January 14. While home users won’t receive any more patches from Microsoft, enterprise customers can purchase Microsoft’s steeply-priced Windows 7 Extended Security Updates (ESUs).

ACSC’s 44-page paper, Hardening Microsoft Windows 7 SP1 Workstationsis aimed at these enterprise customers that didn’t beat Microsoft’s cut-off for migrating off Windows 7. 

ACSC offers a concise checklist of 42 actions that are broken down into high, medium and low priorities. It offers clear explanations for why each action should be undertaken and how to do them.

Microsoft will provide Windows 7 security updates to ESU customers until 2022, with prices ranging between US$25 to US$200 per device per year for Windows Pro, Windows E3, and Window E5 editions. Prices also rise each year, increasing the pressure on customers to migrate. 

The largest Australian government contract for Windows 7 ESUs was purchased in late 2019 by the Department of Defence, which has a one year ESU deal that costs a whopping AU$6.1 million -- in taxpayers' money. And the Australian Taxation Office has a one year Windows 7 ESU deal worth almost $1m.  

When Windows 7 support ended, ACSC urged all Australian organizations to migrate Windows 7 machines to Windows 10 and provided three mitigation strategies, including negotiating an ESU, implementing Microsoft's Enhanced Mitigation Experience Toolkit (EMET), and applying “basic hardening”, such as disabling “common intrusion vectors such as AutoRun, SMB and NetBlOS services”.  

Its new Windows 7 hardening document goes into far more detail. While many security pros will already know much of what’s in there, ACSC’s paper offers a handy checklist of all things that should be done to prevent ransomware and other malware. 

Some of the high priorities include enabling Address Space Layout Randomization (ASLR); hardening apps like Microsoft Office, IE, Mozilla Firefox and Google Chrome; ensuing these apps are still supported on Windows 7; enabling application whitelisting; disabling credential caching (even though caching is convenient); and enforcing a trusted path for credential entry to prevent keylogging malware.               

On the browser front, Google has committed to Chrome supporting Windows 7 until at least July 15, 2021. Microsoft also launched its new Chromium-based Edge browser for Windows 7 a day after the OS reached EOL. Mozilla hasn’t said how long it will support Windows 7, but it supported only pulled the plug Windows XP in 2018. 

ACSC also recommends enabling Data Execution Prevention (DEP) for “all applications and services except those that need to be explicitly excluded for compatibility reasons.”

Admins should make adjustments to default Windows settings to mitigate attacks on privileged users, using Windows User Access Control (UAC). 

“The default settings allow privileged users to perform sensitive actions without first providing credentials and while standard users must provide privileged credentials they are not required to do so via a trusted path on the Secure Desktop,” ACSC explains. 

“This provides an opportunity for an adversary that gains access to an open session of a privileged user to perform sensitive actions at will or for malicious code to capture any credentials entered via a standard user when attempting to elevate their privileges. To reduce this risk, UAC functionality should be implemented to ensure all sensitive actions are authorised by providing credentials on the Secure Desktop.”

ACSC reiterates its advice that organizations should move to Windows 10 because Microsoft has made it harder for attackers to create reliable exploits for flaws compared to previous versions. 

The document also has advice about password policies. The maximum password age should be 365 days and the policy should require at least 14 characters and enforce minimum complexity requirements. Although it notes that a password of 6 characters without complexity could be suitable if the organization is using multi-factor authentication. 

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies