Secure a Windows Computer

http://research4.dfci.harvard.edu/pedonc/support/protectwindows.htmlIt is critical for the security and stability of individual workstation computers and the network at large that all systems running Microsoft Windows be secured according to these guidelines before they are connected to the network.

If you are reading these instructions from a Windows computer that may not be secure, please physically disconnect the computer from the network by unplugging its network cable or disconnecting from the wireless network, then use another computer or device that you know to be secure to access these instructions. You can use the QR code on this page to view these instructions on a QR-capable device.

About Partners Workstations

Please note that none of the instructions below apply to Partners Workstations. Partners automatically configures their workstation computers to block viruses and worms, and users should not attempt to perform any of the procedures below on a Partners workstation computer.

Set Secure Passwords and Manage Accounts

Manage Computer
  1. Close all programs, navigate to the Start button, then right-click on Computer and choose Manage.
  2. In the Computer Management window that appears, expand Local Users and Groups, then click on Users.
  3. In the user list on the right, right-click on each username and select Set Password, then set a secure password for each account (if you know that an account already has a secure password, you do not need to reset it). Please be sure to remember any passwords that you set so you do not get locked out of your computer.
  4. Once you have set passwords for each account, double-click Guest to bring up its properties, then make sure that it is disabled and click OK.

Disabling Services

Disable Server
  1. With the Computer Management window still open, expand Services and Applications and select Services.
  2. For each of the following services, double-click on the service in the list, in the window that appears, change their Startup type to Disabled, then click OK:
    • Computer Browser
    • Remote Registry
    • Server
  3. Close the Computer Management window.

Remove File Sharing

  1. Navigate to the Start button, then click Control Panel.
  2. In the Control Panel, open the Network and Sharing Center.
  3. Click on Local Area Connection, then open its properties.
  4. Remove File and Printer Sharing, then apply settings and close all open windows.

Disable Autoplay

Disable Autoplay
  1. Navigate to the Start button, then enter gpedit.msc in the search field and press enter.
  2. In Policy Editor window that appears, expand Administrative Templates, Windows Components, Autoplay Policies.
  3. Double-click Turn Off Autoplay.
  4. Click enabled, then select All drives and click OK.
  5. Close all open windows.

Download Critical Updates

  1. Once you have completed the steps above, restart your computer, log in, and connect it to the DFCI/Partners ethernet network or phswifi3.
  2. Navigate to the Start button, then type Update in the search field and click Windows Update in the list of results.
  3. In the left pane of the window that appears, click Check for Updates (it may take a few moments for Windows to find available updates).
  4. If Windows indicates that updates are available, click the message to view the updates available.
  5. Select all available updates and click OK.
  6. Click Install updates. Wait while Windows downloads and installs updates, then restart you computer when prompted/when the updates are downloaded.
  7. Repeat the above steps until Windows reports that no additional updates are available (you may have to repeat the above procedure several times).